Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gem1.exe

Overview

General Information

Sample name:gem1.exe
Analysis ID:1589410
MD5:b151d347d2f47dad2db0aa029dd6c9dd
SHA1:8e191fc786e010f93c9bcc41de3a42e1e16fa345
SHA256:5c0ead3d71e0c901aef2a4c7a2ad29212fcb9f8dc49c5e6b524f822ec65511fd
Tags:66-63-187-250exeuser-JAMESWT_MHT
Infos:

Detection

CredGrabber, Meduza Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gem1.exe (PID: 2432 cmdline: "C:\Users\user\Desktop\gem1.exe" MD5: B151D347D2F47DAD2DB0AA029DD6C9DD)
    • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gem1.exe (PID: 5864 cmdline: "C:\Users\user\Desktop\gem1.exe" MD5: B151D347D2F47DAD2DB0AA029DD6C9DD)
    • WerFault.exe (PID: 6808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 152 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "66.63.187.173", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "5", "links": "", "port": 15666}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
    00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
      00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmpinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
      • 0xff0dc:$str01: emoji
      • 0x1018d8:$str02: %d-%m-%Y, %H:%M:%S
      • 0x101940:$str03: [UTC
      • 0x10194c:$str04: user_name
      • 0x101970:$str05: computer_name
      • 0x101994:$str06: timezone
      • 0x1018c4:$str07: current_path()
      • 0xff0a8:$str08: [json.exception.
      • 0x11502e:$str09: GDI32.dll
      • 0x1152a0:$str10: GdipGetImageEncoders
      • 0x115318:$str10: GdipGetImageEncoders
      • 0x114948:$str11: GetGeoInfoA
      Process Memory Space: gem1.exe PID: 5864JoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
        Process Memory Space: gem1.exe PID: 5864JoeSecurity_CredGrabberYara detected CredGrabberJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.gem1.exe.3b01f70.0.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
            0.2.gem1.exe.3b01f70.0.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
            • 0xfbcdc:$str01: emoji
            • 0xfe4d8:$str02: %d-%m-%Y, %H:%M:%S
            • 0xfe540:$str03: [UTC
            • 0xfe54c:$str04: user_name
            • 0xfe570:$str05: computer_name
            • 0xfe594:$str06: timezone
            • 0xfe4c4:$str07: current_path()
            • 0xfbca8:$str08: [json.exception.
            • 0x111c2e:$str09: GDI32.dll
            • 0x111ea0:$str10: GdipGetImageEncoders
            • 0x111f18:$str10: GdipGetImageEncoders
            • 0x111548:$str11: GetGeoInfoA
            0.2.gem1.exe.3b01f70.0.raw.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
              0.2.gem1.exe.3b01f70.0.raw.unpackinfostealer_win_meduzastealerFinds MeduzaStealer samples based on specific stringsSekoia.io
              • 0xfd6dc:$str01: emoji
              • 0xffed8:$str02: %d-%m-%Y, %H:%M:%S
              • 0xfff40:$str03: [UTC
              • 0xfff4c:$str04: user_name
              • 0xfff70:$str05: computer_name
              • 0xfff94:$str06: timezone
              • 0xffec4:$str07: current_path()
              • 0xfd6a8:$str08: [json.exception.
              • 0x11362e:$str09: GDI32.dll
              • 0x1138a0:$str10: GdipGetImageEncoders
              • 0x113918:$str10: GdipGetImageEncoders
              • 0x112f48:$str11: GetGeoInfoA
              3.2.gem1.exe.400000.0.raw.unpackJoeSecurity_MeduzaStealerYara detected Meduza StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-12T09:26:12.953630+010020494411A Network Trojan was detected192.168.2.64970966.63.187.17315666TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-12T09:26:12.953630+010020508061A Network Trojan was detected192.168.2.64970966.63.187.17315666TCP
                2025-01-12T09:26:12.959172+010020508061A Network Trojan was detected192.168.2.64970966.63.187.17315666TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-12T09:26:12.953630+010020508071A Network Trojan was detected192.168.2.64970966.63.187.17315666TCP
                2025-01-12T09:26:12.959172+010020508071A Network Trojan was detected192.168.2.64970966.63.187.17315666TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: gem1.exeAvira: detected
                Found malware configuration
                Source: 3.2.gem1.exe.400000.0.raw.unpackMalware Configuration Extractor: Meduza Stealer {"C2 url": "66.63.187.173", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "5", "links": "", "port": 15666}
                Multi AV Scanner detection for submitted file
                Source: gem1.exeReversingLabs: Detection: 63%
                Source: gem1.exeVirustotal: Detection: 62%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
                Machine Learning detection for sample
                Source: gem1.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047A610 CryptUnprotectData,LocalFree,3_2_0047A610
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043D4A0 BCryptDestroyKey,3_2_0043D4A0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047A950 CryptProtectData,LocalFree,3_2_0047A950
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047AAE0 BCryptDecrypt,BCryptDecrypt,3_2_0047AAE0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00440B60 CryptUnprotectData,LocalFree,3_2_00440B60
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047AE10 BCryptCloseAlgorithmProvider,3_2_0047AE10
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047AE80 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,3_2_0047AE80
                Source: gem1.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49711 version: TLS 1.2
                Source: gem1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdbRSDS source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.pdb) source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: Handler.pdb source: gem1.exe, WERBB3.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.pdb source: WERBB3.tmp.dmp.7.dr
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004402D0 FindFirstFileW,FindNextFileW,3_2_004402D0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B84C0 FindClose,FindFirstFileExW,GetLastError,3_2_004B84C0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B8545 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,3_2_004B8545
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B84E0 FindFirstFileExW,3_2_004B84E0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004BAB85 FindFirstFileExW,3_2_004BAB85
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00487550 GetLogicalDriveStringsW,3_2_00487550
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\migration\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\migration\wtr\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.6:49709 -> 66.63.187.173:15666
                Source: Network trafficSuricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.6:49709 -> 66.63.187.173:15666
                Source: global trafficTCP traffic: 192.168.2.6:49709 -> 66.63.187.173:15666
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                Source: Joe Sandbox ViewIP Address: 66.63.187.173 66.63.187.173
                Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: Network trafficSuricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.6:49709 -> 66.63.187.173:15666
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.173
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00485350 recv,recv,recv,recv,recv,recv,closesocket,WSACleanup,3_2_00485350
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49711 version: TLS 1.2
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00485F00 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,3_2_00485F00

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.gem1.exe.3b01f70.0.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 0.2.gem1.exe.3b01f70.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 3.2.gem1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 3.2.gem1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 0.2.gem1.exe.39d9550.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0048A0A0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,3_2_0048A0A0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0048A710 RtlAcquirePebLock,NtAllocateVirtualMemory,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,3_2_0048A710
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004422D03_2_004422D0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043A2B03_2_0043A2B0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004464003_2_00446400
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004884003_2_00488400
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043E4F03_2_0043E4F0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004395D03_2_004395D0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004877803_2_00487780
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004858403_2_00485840
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043C9703_2_0043C970
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004479C03_2_004479C0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00459A063_2_00459A06
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0046EB703_2_0046EB70
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0046BCE03_2_0046BCE0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00439D603_2_00439D60
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00470EF03_2_00470EF0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043BF703_2_0043BF70
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004620803_2_00462080
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004320A03_2_004320A0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004A70A73_2_004A70A7
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0042D1503_2_0042D150
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004791303_2_00479130
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004741903_2_00474190
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004612503_2_00461250
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004082703_2_00408270
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B63803_2_004B6380
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004074703_2_00407470
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004624103_2_00462410
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004A54263_2_004A5426
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0045C4C03_2_0045C4C0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043D4A03_2_0043D4A0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047E5803_2_0047E580
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0046B6203_2_0046B620
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004687503_2_00468750
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004197703_2_00419770
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0045C7003_2_0045C700
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004917CA3_2_004917CA
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0045D7A03_2_0045D7A0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004627A03_2_004627A0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0049687E3_2_0049687E
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B68703_2_004B6870
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043A8003_2_0043A800
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004938003_2_00493800
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0049F8A23_2_0049F8A2
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004619403_2_00461940
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004459503_2_00445950
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004789903_2_00478990
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004ACA4B3_2_004ACA4B
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00406AE03_2_00406AE0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B3AE03_2_004B3AE0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00430AF03_2_00430AF0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0048AA803_2_0048AA80
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00414AA03_2_00414AA0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0045EAA03_2_0045EAA0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00476AB63_2_00476AB6
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00462B503_2_00462B50
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00482C4B3_2_00482C4B
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004BCC403_2_004BCC40
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B6C403_2_004B6C40
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00461CC03_2_00461CC0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00478D403_2_00478D40
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B6D303_2_004B6D30
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B1D303_2_004B1D30
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00440DE03_2_00440DE0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0043AE503_2_0043AE50
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0042EEA03_2_0042EEA0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00406F403_2_00406F40
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00444F503_2_00444F50
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00443F003_2_00443F00
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00456F003_2_00456F00
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00412FA03_2_00412FA0
                Source: C:\Users\user\Desktop\gem1.exeCode function: String function: 004AC500 appears 58 times
                Source: C:\Users\user\Desktop\gem1.exeCode function: String function: 004517F0 appears 53 times
                Source: C:\Users\user\Desktop\gem1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 152
                Source: gem1.exe, 00000000.00000000.2147643921.0000000000542000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerasdlui.exej% vs gem1.exe
                Source: gem1.exe, 00000000.00000002.2201983275.0000000000A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gem1.exe
                Source: gem1.exe, 00000000.00000002.2202846125.00000000039D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerasdlui.exej% vs gem1.exe
                Source: gem1.exeBinary or memory string: OriginalFilenamerasdlui.exej% vs gem1.exe
                Source: gem1.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 0.2.gem1.exe.3b01f70.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 0.2.gem1.exe.3b01f70.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 3.2.gem1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 3.2.gem1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 0.2.gem1.exe.39d9550.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
                Source: gem1.exeStatic PE information: Section: .bss ZLIB complexity 1.0003138195647467
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/5@1/2
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0048CB50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,3_2_0048CB50
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004473D0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_004473D0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00477EE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysStringByteLen,SysFreeString,SysFreeString,3_2_00477EE0
                Source: C:\Users\user\Desktop\gem1.exeMutant created: NULL
                Source: C:\Users\user\Desktop\gem1.exeMutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69636FA32EF8
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2432
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\eb4cb8fe-fc4a-4c18-a5be-8cac1d2c1bc5Jump to behavior
                Source: gem1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: gem1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\gem1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: gem1.exeReversingLabs: Detection: 63%
                Source: gem1.exeVirustotal: Detection: 62%
                Source: C:\Users\user\Desktop\gem1.exeFile read: C:\Users\user\Desktop\gem1.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\gem1.exe "C:\Users\user\Desktop\gem1.exe"
                Source: C:\Users\user\Desktop\gem1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\gem1.exeProcess created: C:\Users\user\Desktop\gem1.exe "C:\Users\user\Desktop\gem1.exe"
                Source: C:\Users\user\Desktop\gem1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 152
                Source: C:\Users\user\Desktop\gem1.exeProcess created: C:\Users\user\Desktop\gem1.exe "C:\Users\user\Desktop\gem1.exe"Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: gem1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: gem1.exeStatic file information: File size 1214976 > 1048576
                Source: gem1.exeStatic PE information: Raw size of .bss is bigger than: 0x100000 < 0x120a00
                Source: gem1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: gem1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: System.Windows.Forms.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdbRSDS source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.pdb) source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: Handler.pdb source: gem1.exe, WERBB3.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdb source: WERBB3.tmp.dmp.7.dr
                Source: Binary string: System.pdb source: WERBB3.tmp.dmp.7.dr
                Source: gem1.exeStatic PE information: 0xD2E802CF [Sun Feb 15 22:33:51 2082 UTC]
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00446400 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,3_2_00446400
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004ACE0C push ecx; ret 3_2_004ACE1F
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047E240 GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,ExitProcess,ReleaseMutex,CloseHandle,3_2_0047E240
                Source: C:\Users\user\Desktop\gem1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeMemory allocated: 29D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-49801
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004402D0 FindFirstFileW,FindNextFileW,3_2_004402D0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B84C0 FindClose,FindFirstFileExW,GetLastError,3_2_004B84C0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B8545 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,3_2_004B8545
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004B84E0 FindFirstFileExW,3_2_004B84E0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004BAB85 FindFirstFileExW,3_2_004BAB85
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00487550 GetLogicalDriveStringsW,3_2_00487550
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00498574 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,3_2_00498574
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\migration\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\migration\wtr\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior
                Source: Amcache.hve.7.drBinary or memory string: VMware
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh$^
                Source: gem1.exe, 00000003.00000002.2344357302.00000000015C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\gem1.exeAPI call chain: ExitProcess graph end nodegraph_3-49821
                Source: C:\Users\user\Desktop\gem1.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0048A710 RtlAcquirePebLock,NtAllocateVirtualMemory,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,3_2_0048A710
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004BA04D IsDebuggerPresent,OutputDebugStringW,3_2_004BA04D
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00498574 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C3_2_00498574
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00446400 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,3_2_00446400
                Source: C:\Users\user\Desktop\gem1.exeCode function: 0_2_029D8089 mov edi, dword ptr fs:[00000030h]0_2_029D8089
                Source: C:\Users\user\Desktop\gem1.exeCode function: 0_2_029D8206 mov edi, dword ptr fs:[00000030h]0_2_029D8206
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004A6CD3 GetProcessHeap,3_2_004A6CD3
                Source: C:\Users\user\Desktop\gem1.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004AC6BF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004AC6BF
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004AC80A SetUnhandledExceptionFilter,3_2_004AC80A
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00497B2D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00497B2D
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004ABFD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_004ABFD4
                Source: C:\Users\user\Desktop\gem1.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\gem1.exeCode function: 0_2_029D8089 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_029D8089
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\gem1.exeMemory written: C:\Users\user\Desktop\gem1.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_0047D2F0 ShellExecuteW,OpenProcessToken,GetCurrentProcess,GetTokenInformation,std::ios_base::_Ios_base_dtor,3_2_0047D2F0
                Source: C:\Users\user\Desktop\gem1.exeProcess created: C:\Users\user\Desktop\gem1.exe "C:\Users\user\Desktop\gem1.exe"Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00486C50 cpuid 3_2_00486C50
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004A6109
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetLocaleInfoEx,FormatMessageA,3_2_004B824D
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetLocaleInfoW,3_2_004A620F
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004A62E5
                Source: C:\Users\user\Desktop\gem1.exeCode function: EnumSystemLocalesW,3_2_0049C70E
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,3_2_004A5970
                Source: C:\Users\user\Desktop\gem1.exeCode function: EnumSystemLocalesW,3_2_004A5C67
                Source: C:\Users\user\Desktop\gem1.exeCode function: EnumSystemLocalesW,3_2_004A5C1C
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetLocaleInfoW,3_2_0049CCB0
                Source: C:\Users\user\Desktop\gem1.exeCode function: EnumSystemLocalesW,3_2_004A5D02
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_004A5D8D
                Source: C:\Users\user\Desktop\gem1.exeCode function: GetLocaleInfoW,3_2_004A5FE0
                Source: C:\Users\user\Desktop\gem1.exeQueries volume information: C:\Users\user\Desktop\gem1.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyNameJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_00497EC8 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,3_2_00497EC8
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004863F0 GetUserNameW,3_2_004863F0
                Source: C:\Users\user\Desktop\gem1.exeCode function: 3_2_004A1074 GetTimeZoneInformation,3_2_004A1074
                Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected CredGrabber
                Source: Yara matchFile source: Process Memory Space: gem1.exe PID: 5864, type: MEMORYSTR
                Yara detected Meduza Stealer
                Source: Yara matchFile source: 0.2.gem1.exe.3b01f70.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.gem1.exe.3b01f70.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.gem1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.gem1.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.gem1.exe.39d9550.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gem1.exe PID: 5864, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum-LTC\wallets
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash\wallets
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus\exodus.wallet
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
                Source: gem1.exe, 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum\keystore
                Tries to harvest and steal Bitcoin Wallet information
                Source: C:\Users\user\Desktop\gem1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCKJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\gem1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\gem1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected CredGrabber
                Source: Yara matchFile source: Process Memory Space: gem1.exe PID: 5864, type: MEMORYSTR
                Yara detected Meduza Stealer
                Source: Yara matchFile source: 0.2.gem1.exe.3b01f70.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.gem1.exe.3b01f70.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.gem1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.gem1.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.gem1.exe.39d9550.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gem1.exe PID: 5864, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		12
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
                Process Injection                		1
                Software Packing                		NTDS34
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets1
                Query Registry                		SSHKeylogging3
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials41
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync2
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                gem1.exe63%ReversingLabsWin32.Infostealer.Tinba
                gem1.exe62%VirustotalBrowse
                gem1.exe100%AviraHEUR/AGEN.1359509
                gem1.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.ipify.org
                		104.26.12.205
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://upx.sf.netAmcache.hve.7.drfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.26.12.205
                      		api.ipify.orgUnited States
                      		13335CLOUDFLARENETUSfalse
                      66.63.187.173
                      		unknownUnited States
                      		8100ASN-QUADRANET-GLOBALUStrue

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1589410
                      Start date and time:2025-01-12 09:25:14 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 21s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:10
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:gem1.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@5/5@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 86
                      • Number of non-executed functions: 46
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.126.31.69, 13.107.246.45, 20.109.210.53
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size exceeded maximum capacity and may have missing network information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:26:13API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.26.12.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/
                      RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                      • api.ipify.org/
                      jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/?format=text
                      xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                      • api.ipify.org/
                      GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                      • api.ipify.org/
                      8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                      • api.ipify.org/
                      Simple2.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/
                      Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                      • api.ipify.org/
                      Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                      • api.ipify.org/
                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                      • api.ipify.org/
                      66.63.187.173gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                          drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                            drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                api.ipify.orghttps://pub-ce1f93897bdf44e9b1cd99ad0325c570.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 172.67.74.152
                                https://support-confirm-help.click/Get hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                zmpZMfK1b4.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 172.67.74.152
                                kAsh3nmsgs.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                dhPWt112uC.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                JuIZye2xKX.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                jKqPSehspS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                A6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                Wru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUS176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                • 172.67.160.193
                                https://accountsupporthub.es/generate/Login/Get hashmaliciousUnknownBrowse
                                • 104.21.90.106
                                Solara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                                • 162.159.134.233
                                resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                • 162.159.135.232
                                Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                • 172.67.219.181
                                http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                • 104.21.56.69
                                http://www.telegramstg.com/Get hashmaliciousUnknownBrowse
                                • 104.21.22.141
                                http://www.eovph.icu/Get hashmaliciousUnknownBrowse
                                • 104.21.1.232
                                http://app-metamask.godaddysites.com/Get hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                • 104.21.57.146
                                ASN-QUADRANET-GLOBALUSegpTyFpA8v.exeGet hashmaliciousAsyncRATBrowse
                                • 69.174.100.131
                                Nfi2yQDBda.exeGet hashmaliciousRemcosBrowse
                                • 69.174.98.48
                                rO37Xq39IF.exeGet hashmaliciousRemcosBrowse
                                • 69.174.98.48
                                frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                • 45.199.228.228
                                xLDz0WPZYc.exeGet hashmaliciousGuLoaderBrowse
                                • 66.63.187.30
                                xLDz0WPZYc.exeGet hashmaliciousGuLoaderBrowse
                                • 66.63.187.30
                                vQyKfYxzXB.exeGet hashmaliciousRemcosBrowse
                                • 69.174.98.48
                                https://zfrmz.com/3GiGYUP4BArW2NBgkPU3Get hashmaliciousUnknownBrowse
                                • 45.61.152.125
                                gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 66.63.187.173
                                armv5l.elfGet hashmaliciousUnknownBrowse
                                • 104.237.80.14

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                37f463bf4616ecd445d4a1937da06e191387457-38765948.15.exeGet hashmaliciousNitolBrowse
                                • 104.26.12.205
                                1387457-38765948.15.exeGet hashmaliciousUnknownBrowse
                                • 104.26.12.205
                                build.exeGet hashmaliciousVidarBrowse
                                • 104.26.12.205
                                zmpZMfK1b4.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 104.26.12.205
                                ix8kxoBHDb.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 104.26.12.205
                                b0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                • 104.26.12.205
                                c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                • 104.26.12.205
                                ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                • 104.26.12.205
                                grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                • 104.26.12.205
                                14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                • 104.26.12.205

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gem1.exe_daf150691981ac57c1cc14cff3d12fbabf996950_5a516dd6_d70f4b9c-129d-44b9-9413-bdafdbcd51f5\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8887530178392387
                                Encrypted:false
                                SSDEEP:96:cpCFdTslNKursrtcBjTOAqyS3QXIDcQlc6VcEdcw3V+BHUHZ0ownOgHkEwH3dEFp:cIo4ur4A0LR3EaGGzuiF1Z24IO8B
                                MD5:04304403CC482F1A152A70A04A55A8B4
                                SHA1:5014D43A225FCD84EC43DFA122CD0477E2823C17
                                SHA-256:856FF0B9FC30D72E046860490D501F802C1727618F3C2DF4940D0F673C8E0AE6
                                SHA-512:1ADD11939FF7ED7689F1975BA1E93CED31B4EA6D94BB7A6DB65A47503406CA7C0E715BAB92231AA44BA968F990E0D728C71880EF83B3A271EBE81431492BAC46
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.1.4.3.9.6.9.5.3.2.4.6.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.1.4.3.9.7.1.1.5.7.4.8.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.0.f.4.b.9.c.-.1.2.9.d.-.4.4.b.9.-.9.4.1.3.-.b.d.a.f.d.b.c.d.5.1.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.e.4.5.d.2.b.-.0.0.c.0.-.4.1.7.9.-.8.f.0.b.-.4.b.a.b.4.f.d.7.4.1.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.g.e.m.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.r.a.s.d.l.u.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.8.0.-.0.0.0.1.-.0.0.1.5.-.8.6.4.2.-.4.4.a.1.c.b.6.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.9.c.7.0.1.5.2.1.1.1.1.7.5.9.b.d.9.b.5.0.9.9.5.7.1.c.0.3.3.d.0.0.0.0.0.9.0.4.!.0.0.0.0.8.e.1.9.1.f.c.7.8.6.e.0.1.0.f.9.3.c.9.b.c.c.4.1.d.e.3.a.4.2.e.1.e.1.6.f.a.3.4.5.!.g.e.m.1...e.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1143.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4741
                                Entropy (8bit):4.436055515159477
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsrJg77aI9FQxDrWpW8VYZvYm8M4J9dxPcf6FxOm+q8vedxPcf/0Q2cnz:uIjfFI7HQx27VVJSfwtKDf/0QLn9d
                                MD5:AA271BB8FD3F2283E8225D54C9B1DFC5
                                SHA1:FB3A4BCABE2277EBDCC1C592BE3B640E3F61A9E7
                                SHA-256:546557A64E6DC141D7D4B7AE6C29525D32A097178893F4E943631D961214C1E5
                                SHA-512:4C8DB4A3FD134E7877C6B3218658B6DF3E65A2E864B2AB39C12EECAE34E2DE38BFBF64C1AD425897D0B9BBC300E4B5A8F9BB0F60718E028FAB73FD040DB8C05F
                                Malicious:false
                                Reputation:low
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="672448" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB3.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 15 streams, Sun Jan 12 08:26:10 2025, 0x1205a4 type
                                Category:dropped
                                Size (bytes):154229
                                Entropy (8bit):3.7476874695117988
                                Encrypted:false
                                SSDEEP:1536:NTjcpN4uE2aOXeYCDDLTgtKAJ07zcPk8tTDGfRuBojR4L:hjq4uEqXeTDLTgi6WfH4
                                MD5:AF44038F62D18C6EC7E8BE9A7E06CA4B
                                SHA1:47CD8EC2B7CE6C5BAFA28F4E5F8B22E099FCEE5A
                                SHA-256:9D7D41A302CD4B2E352A2D12486230A62C567949E9B4F4318ECF9546E3D26942
                                SHA-512:6BDF7592041457918EADCB3C88BEF71CCD28B9787C22B49306207F2C4255BD60DEA7AEE0EDFE25691D2C3C6E99FD663A373F0C55E5BEB47DBEED3071FE9F0497
                                Malicious:false
                                Reputation:low
                                Preview:MDMP..a..... ........|.g....................................$................/..........`.......8...........T...........($..M6......................................................................................................eJ......P.......GenuineIntel............T............|.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4E.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8378
                                Entropy (8bit):3.689416373383232
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJgCb6IpJ6Y2DaSU9APpgmf6sVJLprm89bIFsfHYm:R6lXJx6I36YnSU92gmf6sVJpIefd
                                MD5:82BDD8FCA9876EA31B8F135DA98F0033
                                SHA1:F1F2CD63AC2DC906C8327BE6DB45616F52500CC2
                                SHA-256:8990636BE4959E596CB42D2BBDB8637666916F2182209D507E9EDB0120AC2BD2
                                SHA-512:B86C172642CF6577280D86A9549F310A090CD5DA8E2B2161A083D4A4EEFC570EF78C378FCADAC7BD651AD7805669B83BFF4E4FE96BB61E85197881A3002E2E4E
                                Malicious:false
                                Reputation:low
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.3.2.<./.P.i.

                                C:\Windows\appcompat\Programs\Amcache.hve

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.469137233862075
                                Encrypted:false
                                SSDEEP:6144:nzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNqjDH5S:zZHtYZWOKnMM6bFpAj4
                                MD5:EBEDF4E0DE76EDB28F163B598477B255
                                SHA1:872228C3F0B1AFA8F0FB5685C8449AC7B7473E35
                                SHA-256:358980C716116EB64837EC57289E258B83B9ECFCA89AB7C8C2AF463398DAE9C5
                                SHA-512:C6B03CE2A7B1916A8CEFA832D629A79C30BD0E4F84C55C41DCFB9CD85AE99DD5903937ACE71E36AA3EF07A085097500426D3B670AF4EB8D92DCAC884A1EE8EA5
                                Malicious:false
                                Reputation:low
                                Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.9930446065489615
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:gem1.exe
                                File size:1'214'976 bytes
                                MD5:b151d347d2f47dad2db0aa029dd6c9dd
                                SHA1:8e191fc786e010f93c9bcc41de3a42e1e16fa345
                                SHA256:5c0ead3d71e0c901aef2a4c7a2ad29212fcb9f8dc49c5e6b524f822ec65511fd
                                SHA512:cb6e1d0d13a00713afc45557cff0a6d71024fda5d509356a04e09d0c999b219e221c3bdd7702043f1cb9290329c3fb9ad121168f60f5a94f5a0d50e45abdc81b
                                SSDEEP:24576:RQu06mH2AfjusEQ3MWTwGxXjfAnpiYQ7eVGKtFwVrJa/tXjuD/:3LmH2AfisEQ5XEnpI74arM/tXj+/
                                TLSH:0745332CFA0BDD2AC27D2D7B44940F4091A1A39B1CABED63B04C725657976BBCA11D38
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..v............... ........@.. ..............................*u....`................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4094ee
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows cui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xD2E802CF [Sun Feb 15 22:33:51 2082 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x94a00x4b.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x3f0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x94570x1c.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x74f40x7600f32526fd179a80672c86baf3e240d82bFalse0.5432997881355932data6.059907975778828IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xa0000x3f00x400244207ec8fc868fc32d1d919de93ef41False0.44921875data3.3528869776678194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xc0000xc0x2000b272fa35e840df20571830dcdaa7949False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .bss0xe0000x120a000x120a00ede3f5c4c71a23ad8d4561c2ee4dc5feFalse1.0003138195647467data7.99986473770345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0xa0580x398OpenPGP Secret KeyEnglishUnited States0.45760869565217394

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2025-01-12T09:26:12.953630+01002049441ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt1192.168.2.64970966.63.187.17315666TCP
                                2025-01-12T09:26:12.953630+01002050806ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M21192.168.2.64970966.63.187.17315666TCP
                                2025-01-12T09:26:12.953630+01002050807ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)1192.168.2.64970966.63.187.17315666TCP
                                2025-01-12T09:26:12.959172+01002050806ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M21192.168.2.64970966.63.187.17315666TCP
                                2025-01-12T09:26:12.959172+01002050807ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)1192.168.2.64970966.63.187.17315666TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 12, 2025 09:26:09.973104000 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:09.978102922 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:09.978188992 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:11.101058960 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:11.101134062 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:11.101269007 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:11.146311045 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:11.146331072 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:11.612819910 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:11.612915993 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.038455009 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.038485050 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.039280891 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.039371967 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.058482885 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.103327990 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.164212942 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.164271116 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.164290905 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.164309025 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.164335012 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.164360046 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.165127993 CET49711443192.168.2.6104.26.12.205
                                Jan 12, 2025 09:26:12.165144920 CET44349711104.26.12.205192.168.2.6
                                Jan 12, 2025 09:26:12.953629971 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959028959 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959098101 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959120035 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959148884 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959172010 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959176064 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959196091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959202051 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959217072 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959229946 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959244967 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959254980 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959276915 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959283113 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959294081 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959310055 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959331989 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959362984 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.959364891 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.959408998 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964366913 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964452028 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964466095 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964514017 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964521885 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964562893 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964581013 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964623928 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964647055 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964694023 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964694977 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964721918 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964732885 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964749098 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964775085 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964777946 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964799881 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964802027 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964827061 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964844942 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964855909 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964865923 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964888096 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.964890957 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964922905 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.964936972 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.969780922 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.969846010 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.969896078 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.969949961 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970027924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970088005 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970124006 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970172882 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970175028 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970227957 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970238924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970292091 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970292091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970355034 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970366001 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970407963 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970434904 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970479965 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970551014 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970577955 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970609903 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970619917 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970627069 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970655918 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970670938 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970709085 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970762968 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970789909 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970807076 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970838070 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970844030 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970871925 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970889091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970918894 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970917940 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970946074 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970973015 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.970982075 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970993042 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.970999956 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.971025944 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.971035004 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.971045971 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.971075058 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.971101999 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.971107006 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.971116066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.971127987 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.971153975 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.971167088 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.971177101 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.971188068 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.975987911 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976068020 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976216078 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976264954 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976311922 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976357937 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976409912 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976459026 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976463079 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976516962 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976522923 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976567984 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976568937 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976617098 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976708889 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976735115 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976752996 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976768970 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976778030 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976824999 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976923943 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.976972103 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.976988077 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977035999 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977077961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977103949 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977128983 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977158070 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977230072 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977276087 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977278948 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977302074 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977320910 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977328062 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977349997 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977360964 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977370024 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977385998 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977401018 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977412939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977421045 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977438927 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977456093 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977483034 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977489948 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977515936 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977529049 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977541924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977555037 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977567911 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977577925 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977595091 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977610111 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977622032 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977638960 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977648020 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977658033 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977674961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977689028 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977700949 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977714062 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977727890 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977741003 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977756023 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977782965 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977786064 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977798939 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977809906 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977823973 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977834940 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977845907 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977861881 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977875948 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977886915 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977905989 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977912903 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977931023 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977938890 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977957010 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977965117 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.977988005 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.977991104 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978009939 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978015900 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978034973 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978041887 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978058100 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978068113 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978080988 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978095055 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978108883 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978125095 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978149891 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978163958 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978163958 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978190899 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978203058 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978218079 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978228092 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978244066 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978259087 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978270054 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978281975 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978296041 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978305101 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978322983 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978336096 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978348970 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978365898 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978374004 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978390932 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978400946 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978409052 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978425980 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978437901 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978451967 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978461981 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978477955 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978493929 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978502989 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978516102 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978528976 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978540897 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978554964 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978566885 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978579998 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978591919 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978605032 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978620052 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978631973 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978642941 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978657961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978672028 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978683949 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978693008 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978709936 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.978719950 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.978750944 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.983675003 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.983727932 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.983741045 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.983768940 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.983897924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.983923912 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.983951092 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.983987093 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984016895 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984065056 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984097958 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984143972 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984180927 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984226942 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984256983 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984308004 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984373093 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984406948 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984421968 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984441996 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984464884 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984513998 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984524965 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984551907 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984575987 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984596968 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984667063 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984709978 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984728098 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984767914 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984817982 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984868050 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.984903097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.984947920 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985006094 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985032082 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985059023 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985074997 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985163927 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985219002 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985251904 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985277891 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985304117 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985317945 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985416889 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985466957 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985487938 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985512972 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985532045 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985548973 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985714912 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985820055 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985909939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985935926 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985955954 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985963106 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985985041 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.985990047 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.985996962 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986015081 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986035109 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986042976 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986054897 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986069918 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986079931 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986097097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986110926 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986123085 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986143112 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986149073 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986159086 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986175060 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986186981 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986201048 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986213923 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986227036 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986238956 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986253023 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986269951 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986279011 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986289024 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986304998 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986315966 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986330986 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986342907 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986356974 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986373901 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986382961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986392021 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986408949 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986418962 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986433983 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986449003 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986459970 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986469984 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986485958 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986504078 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986527920 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986531973 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986568928 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986571074 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986594915 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986608028 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986622095 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986634970 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986648083 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986659050 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986674070 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986690044 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986717939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986742020 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986745119 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986753941 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986771107 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986782074 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986797094 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986810923 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986823082 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986835003 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986849070 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986859083 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986876011 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986888885 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986901999 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986912012 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986927986 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986942053 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986953020 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986963987 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.986979008 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.986994982 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987004995 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987020016 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987031937 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987047911 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987057924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987083912 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987093925 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987102985 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987109900 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987121105 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987135887 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987162113 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987166882 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987179041 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987188101 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987200975 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987216949 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987226009 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987251043 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987256050 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987277031 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987293959 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987303972 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987308979 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987341881 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987349987 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987380028 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987397909 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987406015 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987421989 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987432957 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987443924 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987458944 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987474918 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987484932 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987493992 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987510920 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987521887 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987536907 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987549067 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987561941 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987567902 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987586975 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987598896 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987613916 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987637043 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987641096 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987652063 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987667084 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987684011 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987693071 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987703085 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987718105 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987728119 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987744093 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987756968 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987770081 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987775087 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987796068 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987811089 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987821102 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987833977 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987847090 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987871885 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987876892 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987888098 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987901926 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987910986 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987934113 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987935066 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987962008 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.987979889 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.987987041 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988008976 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988013029 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988029957 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988039017 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988049984 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988065004 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988082886 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988090992 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988117933 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988117933 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988132000 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988146067 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988157988 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988172054 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988183975 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988197088 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988204002 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988224030 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988239050 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988249063 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988261938 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988275051 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988286972 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988301039 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988317013 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988326073 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988347054 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988353014 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988364935 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988378048 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988395929 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988404989 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988415003 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988430977 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988446951 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988456011 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988467932 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988481998 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988488913 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988507986 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988523960 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988533020 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988544941 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988560915 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988564968 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988595963 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988596916 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988624096 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988634109 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988650084 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988662004 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988676071 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988691092 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988702059 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988713026 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988728046 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988739014 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988754034 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988773108 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988779068 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988786936 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988805056 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988815069 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988831043 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988842010 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988857031 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988869905 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988883018 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988894939 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988909006 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.988925934 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.988945961 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994148016 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994193077 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994204998 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994213104 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994216919 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994229078 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994240999 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994249105 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994252920 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994265079 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994271040 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994277000 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994281054 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994288921 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994299889 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994304895 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994311094 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994318008 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994327068 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994366884 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994366884 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994385004 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994390965 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994395971 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994416952 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994422913 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994427919 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994429111 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994457006 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994471073 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994483948 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994496107 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994508028 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994520903 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994523048 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994525909 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994532108 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994543076 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994570017 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994592905 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994601011 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994606972 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994616985 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994617939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994642973 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994658947 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994672060 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994704008 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994705915 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994729042 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994752884 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994765043 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994770050 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994770050 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994775057 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994782925 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994786978 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994806051 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994828939 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994836092 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994842052 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994848967 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994852066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994870901 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994877100 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994889021 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994908094 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994920015 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994923115 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994932890 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994944096 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994961023 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994962931 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994975090 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.994976997 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994993925 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.994998932 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995008945 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995026112 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995033026 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995042086 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995057106 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995059013 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995070934 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995078087 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995081902 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995099068 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995110035 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995111942 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995121956 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995126009 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995136023 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995142937 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995156050 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995160103 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995178938 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995178938 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995191097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995193958 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995218992 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995219946 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995233059 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995239973 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995244980 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995249987 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995256901 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995268106 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995270967 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995279074 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995299101 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995311022 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995318890 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995335102 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995356083 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995373011 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995379925 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995385885 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995397091 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995409012 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995418072 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995419979 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995435953 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995455027 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995465994 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995476961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995517969 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995523930 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995529890 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995541096 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995553017 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995557070 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995564938 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995577097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995578051 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995588064 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995589018 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995599985 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995614052 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995639086 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995651007 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995661020 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995668888 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995685101 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995686054 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995697975 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995702982 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995707989 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995712996 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995738029 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995752096 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995755911 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995757103 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995763063 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995768070 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995774031 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995789051 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995820045 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995882034 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995887041 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995901108 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995914936 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995922089 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995927095 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995933056 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995938063 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995943069 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995948076 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995951891 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995956898 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995961905 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995966911 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995975018 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.995975018 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.995996952 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996009111 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996033907 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996053934 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996090889 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996110916 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996115923 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.996117115 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996129036 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996134043 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996140003 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996145964 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996151924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996157885 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996174097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996179104 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996184111 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996187925 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996196985 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996205091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.996206999 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996222019 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996242046 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996248007 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:12.996340990 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:12.996407032 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036386013 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.036659002 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036726952 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036787987 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036838055 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036887884 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036938906 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.036984921 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.037041903 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.037085056 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.037139893 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.037185907 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.037245035 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.037278891 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.047736883 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.047892094 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.047950029 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.047991991 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.048053026 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.048078060 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.052820921 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.053009987 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.053076982 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.053112984 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.096354961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.098562002 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146104097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.146382093 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146454096 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146502018 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146555901 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146604061 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146652937 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146703005 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146755934 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146806002 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146851063 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146899939 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146954060 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.146996975 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.147047043 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.151493073 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.151674032 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196399927 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.196636915 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196697950 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196742058 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196790934 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196836948 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196893930 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196942091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.196986914 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.197030067 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.197081089 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.197093010 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.206206083 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.206222057 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.206401110 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.206470013 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.206510067 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.206548929 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.211220980 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.211543083 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.211596966 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.211630106 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.252417088 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.252476931 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.283620119 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.283732891 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.283837080 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.283902884 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.283946991 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.283991098 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.284040928 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.284096003 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.284145117 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.284200907 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.284214020 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.288800001 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.288937092 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.332369089 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.332438946 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.345875978 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.345969915 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.346102953 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346170902 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346218109 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346275091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346324921 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346374989 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346427917 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346481085 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.346502066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351006031 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.351229906 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351279974 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351332903 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351373911 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351424932 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351485968 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.351504087 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.392277002 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.392514944 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.406872034 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.407083988 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407160997 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407207966 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407255888 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407293081 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.407299995 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407365084 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407416105 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407459974 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407504082 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407556057 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407607079 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407677889 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407722950 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407777071 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.407814980 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412024021 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412172079 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412194014 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412271976 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412302017 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412373066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412400961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412429094 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412480116 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412511110 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412523031 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412549019 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412576914 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412580967 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412611961 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412638903 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412740946 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412772894 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412900925 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412929058 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.412946939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.412981987 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413069010 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413108110 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413140059 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413167953 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413199902 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413208008 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413283110 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413311005 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413333893 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413363934 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413422108 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413450003 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413472891 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413506031 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413520098 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413553953 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413630009 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413659096 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413661957 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413688898 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413703918 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413738012 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413753033 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413779974 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413779974 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413808107 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413815975 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.413887978 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.413995981 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414060116 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414098024 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414153099 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414202929 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414221048 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414239883 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414243937 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414252043 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414263964 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414264917 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414275885 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414285898 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414304972 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414307117 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414315939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414328098 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414345980 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414346933 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414359093 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414370060 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414376974 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414385080 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414387941 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414401054 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414406061 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414412975 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.414431095 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.414462090 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.456573009 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.456816912 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.456886053 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.456933975 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.456978083 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457020998 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457073927 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457123995 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457179070 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457218885 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457274914 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457319021 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457374096 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457417965 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457477093 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.457509041 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.461004019 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.461149931 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.461214066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.461944103 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462002993 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462021112 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462086916 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462116957 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462157965 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462161064 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462214947 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462239981 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462289095 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462321043 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462376118 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462395906 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462430000 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462440968 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462493896 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462511063 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462553978 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462584019 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462634087 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462655067 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462706089 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462709904 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462768078 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462843895 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462892056 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462898970 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.462949038 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.462951899 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463002920 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463035107 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463114977 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463144064 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463202000 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463232040 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463264942 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463299990 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463350058 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463496923 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463545084 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463561058 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463612080 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463645935 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463690996 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463743925 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463772058 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463795900 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463829041 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463865995 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.463908911 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.463965893 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464009047 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464014053 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464020967 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464032888 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464045048 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464059114 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464071035 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464078903 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464085102 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464116096 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464123011 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464143038 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464143038 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464154959 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464164972 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464174986 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464181900 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464186907 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464200974 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464200974 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464216948 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464225054 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464229107 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464240074 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464240074 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464247942 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464251041 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464262962 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464272022 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464277983 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464296103 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464299917 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464315891 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464318037 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464340925 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464342117 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464360952 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464363098 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464373112 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464382887 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464384079 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464404106 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464407921 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464422941 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464428902 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464436054 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464447021 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464456081 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464458942 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464482069 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464487076 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464493990 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464504957 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464515924 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464526892 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464538097 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464557886 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464569092 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464570999 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464585066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464590073 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464611053 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464622974 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464633942 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464634895 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464659929 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464660883 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464672089 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464685917 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464689970 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464715004 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464715958 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464737892 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464744091 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464749098 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464764118 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464771032 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464780092 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464788914 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464793921 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464801073 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464812040 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464826107 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464827061 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464845896 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464857101 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464859009 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464868069 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464879036 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464883089 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464907885 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464910984 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464922905 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464934111 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464934111 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464946032 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464956045 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464958906 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464967966 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.464984894 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464994907 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.464994907 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465007067 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465017080 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465020895 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465040922 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465045929 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465053082 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465064049 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465066910 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465090990 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465097904 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465118885 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465126991 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465137959 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465147018 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465158939 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465167999 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465171099 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465182066 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465184927 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465193987 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465209961 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465224028 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465235949 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465246916 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465248108 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465259075 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465277910 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465282917 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465305090 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465312958 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465317011 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465323925 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465327978 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465339899 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465348959 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465362072 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465382099 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465393066 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465394020 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465405941 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465418100 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465428114 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465431929 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465461969 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465473890 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465486050 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465495110 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465507030 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465518951 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465521097 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465542078 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465550900 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465565920 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465578079 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465584040 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465589046 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465600967 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465616941 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465624094 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465636015 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465647936 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465648890 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465667009 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465678930 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465681076 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465689898 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465691090 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465711117 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465714931 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465723038 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465734005 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465734959 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465744972 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465758085 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465766907 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465787888 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465790033 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465814114 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465816021 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465827942 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465837002 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465838909 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465851068 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465862036 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465878963 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465888977 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465890884 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465918064 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465922117 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465941906 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465967894 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465970993 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.465991974 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.465993881 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.466015100 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.466017008 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.466027021 CET156664970966.63.187.173192.168.2.6
                                Jan 12, 2025 09:26:13.466037989 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.466094017 CET4970915666192.168.2.666.63.187.173
                                Jan 12, 2025 09:26:13.466114998 CET156664970966.63.187.173192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 12, 2025 09:26:11.074896097 CET192.168.2.61.1.1.10x992eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 12, 2025 09:26:11.081973076 CET1.1.1.1192.168.2.60x992eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                Jan 12, 2025 09:26:11.081973076 CET1.1.1.1192.168.2.60x992eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                Jan 12, 2025 09:26:11.081973076 CET1.1.1.1192.168.2.60x992eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649711104.26.12.2054435864C:\Users\user\Desktop\gem1.exe
                                TimestampBytes transferredDirectionData
                                2025-01-12 08:26:12 UTC100OUTGET / HTTP/1.1
                                Accept: text/html; text/plain; */*
                                Host: api.ipify.org
                                Cache-Control: no-cache
                                2025-01-12 08:26:12 UTC424INHTTP/1.1 200 OK
                                Date: Sun, 12 Jan 2025 08:26:12 GMT
                                Content-Type: text/plain
                                Content-Length: 12
                                Connection: close
                                Vary: Origin
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 900bc2a1bf6a4406-EWR
                                server-timing: cfL4;desc="?proto=TCP&rtt=2376&min_rtt=2335&rtt_var=905&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=738&delivery_rate=1250535&cwnd=186&unsent_bytes=0&cid=972ef64e2270f9e1&ts=565&x=0"
                                2025-01-12 08:26:12 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                Data Ascii: 8.46.123.189


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:03:26:08
                                Start date:12/01/2025
                                Path:C:\Users\user\Desktop\gem1.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\gem1.exe"
                                Imagebase:0x540000
                                File size:1'214'976 bytes
                                MD5 hash:B151D347D2F47DAD2DB0AA029DD6C9DD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:03:26:08
                                Start date:12/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:03:26:08
                                Start date:12/01/2025
                                Path:C:\Users\user\Desktop\gem1.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\gem1.exe"
                                Imagebase:0xe80000
                                File size:1'214'976 bytes
                                MD5 hash:B151D347D2F47DAD2DB0AA029DD6C9DD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000003.00000002.2344357302.0000000001578000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: infostealer_win_meduzastealer, Description: Finds MeduzaStealer samples based on specific strings, Source: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Sekoia.io
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:03:26:09
                                Start date:12/01/2025
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 152
                                Imagebase:0xee0000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:6.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:53.8%
                                  Total number of Nodes:13
                                  Total number of Limit Nodes:2
                                  execution_graph 2485 e9220a 2488 e9209d 2485->2488 2486 e92122 2488->2486 2489 e906d0 2488->2489 2490 e94318 VirtualProtect 2489->2490 2492 e943a0 2490->2492 2492->2488 2493 29d8206 2494 29d8220 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 2493->2494 2495 29d82c7 WriteProcessMemory 2494->2495 2499 29d81cf GetPEB 2494->2499 2496 29d830c 2495->2496 2497 29d834e WriteProcessMemory Wow64SetThreadContext ResumeThread 2496->2497 2498 29d8311 WriteProcessMemory 2496->2498 2498->2496 2499->2494

                                  Executed Functions

                                  Function 029D8089 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294threadinjectionmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029D7FFB,029D7FEB), ref: 029D8221
                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029D8234
                                  • Wow64GetThreadContext.KERNEL32(00000384,00000000), ref: 029D8252
                                  • ReadProcessMemory.KERNELBASE(0000038C,?,029D803F,00000004,00000000), ref: 029D8276
                                  • VirtualAllocEx.KERNELBASE(0000038C,?,?,00003000,00000040), ref: 029D82A1
                                  • WriteProcessMemory.KERNELBASE(0000038C,00000000,?,?,00000000,?), ref: 029D82F9
                                  • WriteProcessMemory.KERNELBASE(0000038C,00400000,?,?,00000000,?,00000028), ref: 029D8344
                                  • WriteProcessMemory.KERNELBASE(0000038C,?,?,00000004,00000000), ref: 029D8382
                                  • Wow64SetThreadContext.KERNEL32(00000384,04E60000), ref: 029D83BE
                                  • ResumeThread.KERNELBASE(00000384), ref: 029D83CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2202807808.00000000029D7000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D7000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29d7000_gem1.jbxd
                                  Similarity
                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                  • String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                  • API String ID: 2687962208-232383841
                                  • Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
                                  • Instruction ID: 3df32ef9beffd10a59b47ea7906505796bdbdf35be7d3bb495a38d68c7906d05
                                  • Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
                                  • Instruction Fuzzy Hash: 52B1F97660064AAFDB60CF68CC80BDA77A5FF88714F158514EA0CAB342D774FA51CB94
                                  Function 029D8206 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82threadinjectionmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029D7FFB,029D7FEB), ref: 029D8221
                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029D8234
                                  • Wow64GetThreadContext.KERNEL32(00000384,00000000), ref: 029D8252
                                  • ReadProcessMemory.KERNELBASE(0000038C,?,029D803F,00000004,00000000), ref: 029D8276
                                  • VirtualAllocEx.KERNELBASE(0000038C,?,?,00003000,00000040), ref: 029D82A1
                                  • WriteProcessMemory.KERNELBASE(0000038C,00000000,?,?,00000000,?), ref: 029D82F9
                                  • WriteProcessMemory.KERNELBASE(0000038C,00400000,?,?,00000000,?,00000028), ref: 029D8344
                                  • WriteProcessMemory.KERNELBASE(0000038C,?,?,00000004,00000000), ref: 029D8382
                                  • Wow64SetThreadContext.KERNEL32(00000384,04E60000), ref: 029D83BE
                                  • ResumeThread.KERNELBASE(00000384), ref: 029D83CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2202807808.00000000029D7000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D7000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29d7000_gem1.jbxd
                                  Similarity
                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                  • String ID: TerminateProcess
                                  • API String ID: 2687962208-2873147277
                                  • Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
                                  • Instruction ID: b5b2a0393d0004684c513fdc3456ef851ce436205c62a4f403b2c30fdfdbf2a2
                                  • Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
                                  • Instruction Fuzzy Hash: CF312D72240646ABD734CF94CC91FEA7365BFC8B15F148508EB09AF281C6B4BA01CB94
                                  Function 00E94312 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 41 e94312-e9439e VirtualProtect 44 e943a0 41->44 45 e943a5-e943b9 41->45 44->45
                                  APIs
                                  • VirtualProtect.KERNELBASE(039D358C,?,?,?), ref: 00E94391
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2202536099.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e90000_gem1.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID: F
                                  • API String ID: 544645111-1845153225
                                  • Opcode ID: f9026a344a59b133cf7c18abb6ee53cf65626a27b722dd32d49483dfa088eb22
                                  • Instruction ID: 412ef49e5b082d6fd8dac34b197b8781187b69270703d2fd14d1bd32690ff61c
                                  • Opcode Fuzzy Hash: f9026a344a59b133cf7c18abb6ee53cf65626a27b722dd32d49483dfa088eb22
                                  • Instruction Fuzzy Hash: 8321C0B5901259EFDB00CF9AD984ADEFBB4FF48314F10812AE918B7240D3B5A954CFA1
                                  Function 00E906D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 36 e906d0-e9439e VirtualProtect 39 e943a0 36->39 40 e943a5-e943b9 36->40 39->40
                                  APIs
                                  • VirtualProtect.KERNELBASE(039D358C,?,?,?), ref: 00E94391
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2202536099.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e90000_gem1.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID: F
                                  • API String ID: 544645111-1845153225
                                  • Opcode ID: e20c98ea3c851015c850e719d8bbaf43939ddfc8e0a68174f48675519443d162
                                  • Instruction ID: 14c5bd05efd6e698dd5d921dddc56ab26a66f5f9083248f7f3dadad3e0e1fe95
                                  • Opcode Fuzzy Hash: e20c98ea3c851015c850e719d8bbaf43939ddfc8e0a68174f48675519443d162
                                  • Instruction Fuzzy Hash: 5621C3B5D01659EFCB00DF99D884ADEFBB4FB48314F10812AE918B7240D3B56954CBE5

                                  Execution Graph

                                  Execution Coverage:12.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:14.3%
                                  Total number of Nodes:1924
                                  Total number of Limit Nodes:104
                                  execution_graph 48483 4a8949 48484 4a8955 __FrameHandler3::FrameUnwindToState 48483->48484 48491 49b2e1 EnterCriticalSection 48484->48491 48486 4a8960 48492 4a89a8 48486->48492 48490 4a898a 48491->48486 48493 4a89cb 48492->48493 48494 4a89b8 48492->48494 48496 4a8a20 48493->48496 48497 4a89e1 48493->48497 48515 4950d4 14 API calls __dosmaperr 48494->48515 48517 4950d4 14 API calls __dosmaperr 48496->48517 48511 4a88c5 48497->48511 48498 4a89bd 48516 497d29 50 API calls __wsopen_s 48498->48516 48502 4a8a25 48518 497d29 50 API calls __wsopen_s 48502->48518 48504 4a8976 48510 4a899f LeaveCriticalSection std::_Lockit::~_Lockit 48504->48510 48507 4a8a3b 48507->48504 48520 497d56 IsProcessorFeaturePresent 48507->48520 48509 4a8a55 48510->48490 48513 4a88d3 48511->48513 48512 4a8939 48512->48504 48519 4a4e67 50 API calls 2 library calls 48512->48519 48513->48512 48524 4a9a5d 51 API calls 2 library calls 48513->48524 48515->48498 48516->48504 48517->48502 48518->48504 48519->48507 48521 497d62 48520->48521 48525 497b2d 48521->48525 48524->48513 48526 497b49 __fread_nolock __purecall 48525->48526 48527 497b75 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 48526->48527 48528 497c46 __purecall 48527->48528 48531 4abbf5 48528->48531 48530 497c64 GetCurrentProcess TerminateProcess 48530->48509 48532 4abbfe IsProcessorFeaturePresent 48531->48532 48533 4abbfd 48531->48533 48535 4ac011 48532->48535 48533->48530 48538 4abfd4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48535->48538 48537 4ac0f4 48537->48530 48538->48537 48539 49c50a 48540 49c52f 48539->48540 48541 49c517 48539->48541 48545 49c58e 48540->48545 48553 49c527 48540->48553 48598 49e8bd 14 API calls 2 library calls 48540->48598 48596 4950d4 14 API calls __dosmaperr 48541->48596 48543 49c51c 48597 497d29 50 API calls __wsopen_s 48543->48597 48559 498cea 48545->48559 48548 49c5a7 48566 49edf5 48548->48566 48551 498cea __fread_nolock 50 API calls 48552 49c5e0 48551->48552 48552->48553 48554 498cea __fread_nolock 50 API calls 48552->48554 48555 49c5ee 48554->48555 48555->48553 48556 498cea __fread_nolock 50 API calls 48555->48556 48557 49c5fc 48556->48557 48558 498cea __fread_nolock 50 API calls 48557->48558 48558->48553 48560 498d0b 48559->48560 48561 498cf6 48559->48561 48560->48548 48599 4950d4 14 API calls __dosmaperr 48561->48599 48563 498cfb 48600 497d29 50 API calls __wsopen_s 48563->48600 48565 498d06 48565->48548 48567 49ee01 __FrameHandler3::FrameUnwindToState 48566->48567 48568 49ee09 48567->48568 48572 49ee24 48567->48572 48667 4950c1 14 API calls __dosmaperr 48568->48667 48570 49ee0e 48668 4950d4 14 API calls __dosmaperr 48570->48668 48571 49ee3b 48669 4950c1 14 API calls __dosmaperr 48571->48669 48572->48571 48575 49ee76 48572->48575 48577 49ee7f 48575->48577 48578 49ee94 48575->48578 48576 49ee40 48670 4950d4 14 API calls __dosmaperr 48576->48670 48672 4950c1 14 API calls __dosmaperr 48577->48672 48601 4a2e7b EnterCriticalSection 48578->48601 48582 49ee9a 48585 49eeb9 48582->48585 48586 49eece 48582->48586 48583 49ee48 48671 497d29 50 API calls __wsopen_s 48583->48671 48584 49ee84 48673 4950d4 14 API calls __dosmaperr 48584->48673 48674 4950d4 14 API calls __dosmaperr 48585->48674 48602 49ef0e 48586->48602 48591 49eebe 48675 4950c1 14 API calls __dosmaperr 48591->48675 48592 49eec9 48676 49ef06 LeaveCriticalSection __wsopen_s 48592->48676 48595 49c5af 48595->48551 48595->48553 48596->48543 48597->48553 48598->48545 48599->48563 48600->48565 48601->48582 48603 49ef38 48602->48603 48604 49ef20 48602->48604 48606 49f27a 48603->48606 48611 49ef7b 48603->48611 48686 4950c1 14 API calls __dosmaperr 48604->48686 48714 4950c1 14 API calls __dosmaperr 48606->48714 48607 49ef25 48687 4950d4 14 API calls __dosmaperr 48607->48687 48610 49f27f 48715 4950d4 14 API calls __dosmaperr 48610->48715 48612 49ef2d 48611->48612 48614 49ef86 48611->48614 48617 49efb6 48611->48617 48612->48592 48688 4950c1 14 API calls __dosmaperr 48614->48688 48616 49ef8b 48689 4950d4 14 API calls __dosmaperr 48616->48689 48620 49efcf 48617->48620 48622 49f00a 48617->48622 48623 49efdc 48617->48623 48620->48623 48627 49eff8 48620->48627 48621 49ef93 48716 497d29 50 API calls __wsopen_s 48621->48716 48693 49d15a 48622->48693 48690 4950c1 14 API calls __dosmaperr 48623->48690 48626 49efe1 48691 4950d4 14 API calls __dosmaperr 48626->48691 48677 4a652f 48627->48677 48632 49efe8 48692 497d29 50 API calls __wsopen_s 48632->48692 48633 49f156 48636 49f1ca 48633->48636 48639 49f16f GetConsoleMode 48633->48639 48638 49f1ce ReadFile 48636->48638 48637 49c0bd ___free_lconv_mon 14 API calls 48640 49f02b 48637->48640 48641 49f242 GetLastError 48638->48641 48642 49f1e6 48638->48642 48639->48636 48643 49f180 48639->48643 48644 49f050 48640->48644 48645 49f035 48640->48645 48646 49f24f 48641->48646 48647 49f1a6 48641->48647 48642->48641 48648 49f1bf 48642->48648 48643->48638 48649 49f186 ReadConsoleW 48643->48649 48708 49f49f 52 API calls 2 library calls 48644->48708 48706 4950d4 14 API calls __dosmaperr 48645->48706 48712 4950d4 14 API calls __dosmaperr 48646->48712 48664 49eff3 __fread_nolock 48647->48664 48709 49507a 14 API calls 2 library calls 48647->48709 48660 49f20b 48648->48660 48661 49f222 48648->48661 48648->48664 48649->48648 48650 49f1a0 GetLastError 48649->48650 48650->48647 48651 49c0bd ___free_lconv_mon 14 API calls 48651->48612 48656 49f03a 48707 4950c1 14 API calls __dosmaperr 48656->48707 48657 49f254 48713 4950c1 14 API calls __dosmaperr 48657->48713 48710 49ec20 55 API calls 4 library calls 48660->48710 48663 49f23b 48661->48663 48661->48664 48711 49ea66 53 API calls __fread_nolock 48663->48711 48664->48651 48666 49f240 48666->48664 48667->48570 48668->48595 48669->48576 48670->48583 48671->48595 48672->48584 48673->48583 48674->48591 48675->48592 48676->48595 48678 4a6549 48677->48678 48679 4a653c 48677->48679 48683 4a6555 48678->48683 48718 4950d4 14 API calls __dosmaperr 48678->48718 48717 4950d4 14 API calls __dosmaperr 48679->48717 48682 4a6541 48682->48633 48683->48633 48684 4a6576 48719 497d29 50 API calls __wsopen_s 48684->48719 48686->48607 48687->48612 48688->48616 48689->48621 48690->48626 48691->48632 48692->48664 48694 49d198 48693->48694 48695 49d168 _strftime 48693->48695 48721 4950d4 14 API calls __dosmaperr 48694->48721 48695->48694 48696 49d183 RtlAllocateHeap 48695->48696 48720 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 48695->48720 48696->48695 48698 49d196 48696->48698 48700 49c0bd 48698->48700 48701 49c0c8 RtlFreeHeap 48700->48701 48705 49c0f2 48700->48705 48702 49c0dd GetLastError 48701->48702 48701->48705 48703 49c0ea __dosmaperr 48702->48703 48722 4950d4 14 API calls __dosmaperr 48703->48722 48705->48637 48706->48656 48707->48664 48708->48627 48709->48664 48710->48664 48711->48666 48712->48657 48713->48664 48714->48610 48715->48621 48716->48612 48717->48682 48718->48684 48719->48682 48720->48695 48721->48698 48722->48705 48723 486f20 GetCurrentHwProfileW 48724 487050 48723->48724 48725 486f94 48723->48725 48751 4517f0 48724->48751 48735 47a340 48725->48735 48728 486ffb 48746 44d060 48728->48746 48729 486fa2 48729->48728 48745 49054d 54 API calls 48729->48745 48730 4abbf5 CatchGuardHandler 5 API calls 48733 48709c 48730->48733 48732 48704e 48732->48730 48736 47a3b5 48735->48736 48737 47a394 48735->48737 48766 43fda0 48736->48766 48738 4abbf5 CatchGuardHandler 5 API calls 48737->48738 48740 47a426 48738->48740 48740->48729 48741 47a3e9 48771 47a430 52 API calls CatchGuardHandler 48741->48771 48743 47a3fa 48772 44cfd0 48743->48772 48745->48729 48747 44d08d 48746->48747 48748 44d0a8 error_info_injector 48746->48748 48747->48748 48782 497d39 50 API calls 2 library calls 48747->48782 48748->48732 48752 4518bd 48751->48752 48757 451810 48751->48757 48754 4350b0 50 API calls 48752->48754 48753 451815 __Strxfrm 48753->48732 48755 4518c2 48754->48755 48797 434f80 50 API calls 2 library calls 48755->48797 48757->48753 48760 451883 48757->48760 48761 45188c 48757->48761 48764 451844 48757->48764 48759 451857 48759->48753 48798 497d39 50 API calls 2 library calls 48759->48798 48760->48755 48760->48764 48762 4abc08 std::_Facet_Register 50 API calls 48761->48762 48762->48753 48783 4abc08 48764->48783 48767 43fe3f 48766->48767 48770 43fdbf __Strxfrm 48766->48770 48777 4350b0 48767->48777 48770->48741 48771->48743 48773 44cffd 48772->48773 48774 44d01e error_info_injector 48772->48774 48773->48774 48781 497d39 50 API calls 2 library calls 48773->48781 48774->48737 48780 4b9061 50 API calls 2 library calls 48777->48780 48785 4abc0d 48783->48785 48786 4abc27 48785->48786 48788 4abc29 48785->48788 48799 497e9c 48785->48799 48815 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 48785->48815 48786->48759 48789 434f80 Concurrency::cancel_current_task 48788->48789 48791 4abc33 Concurrency::cancel_current_task 48788->48791 48806 4afa0c RaiseException 48789->48806 48816 4afa0c RaiseException 48791->48816 48792 434f9c 48807 4ad3de 48792->48807 48795 4acede 48797->48759 48804 49d15a _strftime 48799->48804 48800 49d198 48818 4950d4 14 API calls __dosmaperr 48800->48818 48801 49d183 RtlAllocateHeap 48803 49d196 48801->48803 48801->48804 48803->48785 48804->48800 48804->48801 48817 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 48804->48817 48806->48792 48808 4ad3eb 48807->48808 48814 434ff6 48807->48814 48809 497e9c _Yarn 15 API calls 48808->48809 48808->48814 48810 4ad408 48809->48810 48811 4ad418 48810->48811 48819 49826d 50 API calls 2 library calls 48810->48819 48820 497357 48811->48820 48814->48759 48815->48785 48816->48795 48817->48804 48818->48803 48819->48811 48821 49c0bd ___free_lconv_mon 14 API calls 48820->48821 48822 49736f 48821->48822 48822->48814 48823 459bad 48919 460ac0 48823->48919 48825 45a514 49047 4540f0 48825->49047 48827 44d060 50 API calls 48829 45a508 48827->48829 48828 45a523 48830 4abbf5 CatchGuardHandler 5 API calls 48828->48830 48831 44d060 50 API calls 48829->48831 48832 45a53d 48830->48832 48831->48825 48833 455090 52 API calls 48854 459bca 48833->48854 48834 459d7e 48935 455090 48834->48935 48835 459a9e 48839 455090 52 API calls 48835->48839 48837 45a060 48841 4517f0 50 API calls 48837->48841 48838 459fb4 48842 4517f0 50 API calls 48838->48842 48843 4599f3 48839->48843 48846 45a084 48841->48846 48847 459fd8 48842->48847 48852 4517f0 50 API calls 48843->48852 48844 459d92 48949 4632d0 48844->48949 48845 45a1b8 48849 4517f0 50 API calls 48845->48849 48850 4543f0 55 API calls 48846->48850 48962 4543f0 48847->48962 48856 45a1dc 48849->48856 48857 45a09c 48850->48857 48859 45a47a 48852->48859 48854->48833 48854->48834 48854->48835 48854->48837 48854->48838 48860 45c700 50 API calls 48854->48860 48908 45a057 48854->48908 48855 459da8 48862 455090 52 API calls 48855->48862 48863 4543f0 55 API calls 48856->48863 48858 459790 50 API calls 48857->48858 48864 45a0c1 48858->48864 48865 4543f0 55 API calls 48859->48865 48860->48854 48867 459db8 48862->48867 48868 45a1f4 48863->48868 48869 454730 55 API calls 48864->48869 48870 45a492 48865->48870 48872 459dc4 48867->48872 48873 45a10c 48867->48873 48874 459790 50 API calls 48868->48874 48875 45a0d6 48869->48875 48876 459790 50 API calls 48870->48876 48879 455090 52 API calls 48872->48879 48878 4517f0 50 API calls 48873->48878 48880 45a219 48874->48880 48882 45a590 50 API calls 48875->48882 48883 45a4b7 48876->48883 48885 45a130 48878->48885 48879->48843 48881 454730 55 API calls 48880->48881 48886 45a22e 48881->48886 48887 45a0e5 48882->48887 48888 454730 55 API calls 48883->48888 48890 4543f0 55 API calls 48885->48890 48891 45a590 50 API calls 48886->48891 48892 44d060 50 API calls 48887->48892 48893 45a4cc 48888->48893 48895 45a148 48890->48895 48896 45a23d 48891->48896 48897 45a0f4 48892->48897 48898 45a590 50 API calls 48893->48898 48894 44d060 50 API calls 48899 45a048 48894->48899 48900 459790 50 API calls 48895->48900 48902 44d060 50 API calls 48896->48902 48903 438d50 14 API calls 48897->48903 48904 45a4db 48898->48904 49042 438d50 48899->49042 48901 45a16d 48900->48901 48906 454730 55 API calls 48901->48906 48907 45a24c 48902->48907 48903->48908 48909 44d060 50 API calls 48904->48909 48910 45a182 48906->48910 48911 438d50 14 API calls 48907->48911 48908->48825 48908->48827 48912 45a4ea 48909->48912 48913 45a590 50 API calls 48910->48913 48911->48908 48914 438d50 14 API calls 48912->48914 48915 45a191 48913->48915 48914->48908 48916 44d060 50 API calls 48915->48916 48917 45a1a0 48916->48917 48918 438d50 14 API calls 48917->48918 48918->48908 48920 460b97 48919->48920 48921 460b0c 48919->48921 48923 460c12 48920->48923 48924 460b9f 48920->48924 49052 44d3b0 48921->49052 48925 44d3b0 50 API calls 48923->48925 48927 460bf0 48924->48927 48928 460bb0 48924->48928 48929 460c42 48925->48929 49085 468060 50 API calls 2 library calls 48927->49085 48931 44d3b0 50 API calls 48928->48931 48933 44d3b0 50 API calls 48929->48933 48930 44d3b0 50 API calls 48934 460b8d 48930->48934 48931->48934 48933->48934 48934->48854 48936 4550aa 48935->48936 48940 4550cb 48935->48940 49103 456790 48936->49103 48937 456790 52 API calls 48937->48940 48940->48937 48943 4550d2 48940->48943 48948 455124 48940->48948 48941 456790 52 API calls 48942 4550bd 48941->48942 48942->48943 48944 456790 52 API calls 48942->48944 48945 4abbf5 CatchGuardHandler 5 API calls 48943->48945 48944->48940 48946 4553ab 48945->48946 48946->48844 48946->48845 48947 456790 52 API calls 48947->48948 48948->48943 48948->48947 48956 46330e 48949->48956 48950 46336e 48953 4abc08 std::_Facet_Register 50 API calls 48950->48953 48951 46341a 49252 4351b0 50 API calls 48951->49252 48955 46338f 48953->48955 49213 44bad0 48955->49213 48956->48950 48956->48951 48958 463342 48956->48958 48958->48855 48959 4633ae 49229 44ca70 48959->49229 48961 4633c5 48961->48855 48963 4517f0 50 API calls 48962->48963 48964 454470 48963->48964 48965 4544b3 48964->48965 49262 457160 50 API calls 48964->49262 48967 4544c0 48965->48967 49268 4520f0 48965->49268 48972 4544ff 48967->48972 48977 454559 48967->48977 48968 454499 49263 44b9d0 48968->49263 48971 4544a7 48973 44d060 50 API calls 48971->48973 48974 454730 55 API calls 48972->48974 48973->48965 48975 45450f 48974->48975 49283 45a6d0 50 API calls 48975->49283 48977->48977 48980 4545bc 48977->48980 49284 4516d0 48977->49284 48978 454532 48979 44b9d0 50 API calls 48978->48979 48981 454541 48979->48981 48983 4520f0 50 API calls 48980->48983 48985 4545d2 __Strxfrm 48980->48985 48984 44d060 50 API calls 48981->48984 48983->48985 48987 45454d 48984->48987 49299 44b960 48985->49299 48989 44d060 50 API calls 48987->48989 48988 45460a 48990 44b9d0 50 API calls 48988->48990 48992 45462f 48989->48992 48990->48987 48991 45470c 49002 459790 48991->49002 48992->48991 48993 45469e 48992->48993 48994 4516d0 50 API calls 48992->48994 48995 4520f0 50 API calls 48993->48995 48996 4546b4 __Strxfrm 48993->48996 48994->48993 48995->48996 48997 44b960 50 API calls 48996->48997 48998 4546ef 48997->48998 48999 44b9d0 50 API calls 48998->48999 49000 4546fa 48999->49000 49001 44d060 50 API calls 49000->49001 49001->48991 49003 459817 49002->49003 49004 4517f0 50 API calls 49002->49004 49308 438b10 49003->49308 49004->49003 49007 4517f0 50 API calls 49008 459855 49007->49008 49327 438780 49008->49327 49013 44d060 50 API calls 49014 459894 49013->49014 49015 44d060 50 API calls 49014->49015 49016 4598a0 49015->49016 49017 44d060 50 API calls 49016->49017 49018 4598af 49017->49018 49019 44d060 50 API calls 49018->49019 49020 4598c9 49019->49020 49363 4386d0 49020->49363 49023 44d060 50 API calls 49024 45990a 49023->49024 49025 4abbf5 CatchGuardHandler 5 API calls 49024->49025 49026 459924 49025->49026 49027 454730 49026->49027 49028 454833 49027->49028 49032 4547c2 49027->49032 49029 4abbf5 CatchGuardHandler 5 API calls 49028->49029 49031 45484c 49029->49031 49035 45a590 49031->49035 49032->49028 49034 44b960 50 API calls 49032->49034 49375 434bc0 55 API calls 49032->49375 49376 451e50 50 API calls 4 library calls 49032->49376 49034->49032 49036 45a039 49035->49036 49037 45a5a8 49035->49037 49036->48894 49377 44d1a0 50 API calls 49037->49377 49039 45a5b3 49378 4afa0c RaiseException 49039->49378 49041 45a5c1 49379 4ad441 49042->49379 49045 4ad441 ___std_exception_destroy 14 API calls 49046 438db1 49045->49046 49046->48908 49048 45411b 49047->49048 49049 45413b error_info_injector 49047->49049 49048->49049 49383 497d39 50 API calls 2 library calls 49048->49383 49049->48828 49053 44d3fb 49052->49053 49055 44d495 49053->49055 49056 44d43f 49053->49056 49060 44d5f6 49053->49060 49080 44d633 error_info_injector 49053->49080 49054 4abbf5 CatchGuardHandler 5 API calls 49058 44d694 49054->49058 49057 44d4b6 49055->49057 49061 44d69d 49055->49061 49062 44d4aa 49055->49062 49059 44d46f 49056->49059 49056->49061 49063 44d463 49056->49063 49083 44d490 49057->49083 49089 451c60 50 API calls 49057->49089 49058->48930 49059->49083 49087 451c60 50 API calls 49059->49087 49064 44d655 49060->49064 49065 44d660 49060->49065 49066 44d61a 49060->49066 49067 44d64a 49060->49067 49060->49080 49101 449730 50 API calls 49061->49101 49088 452540 50 API calls 2 library calls 49062->49088 49086 452540 50 API calls 2 library calls 49063->49086 49076 44d060 50 API calls 49064->49076 49094 454ec0 49065->49094 49092 452630 50 API calls error_info_injector 49066->49092 49093 44de70 50 API calls error_info_injector 49067->49093 49076->49080 49079 44aa40 50 API calls 49079->49083 49080->49054 49081 451c60 50 API calls 49081->49083 49083->49079 49083->49081 49084 44d5e4 49083->49084 49090 452630 50 API calls error_info_injector 49083->49090 49091 44de70 50 API calls error_info_injector 49084->49091 49085->48934 49086->49059 49087->49059 49088->49057 49089->49057 49090->49083 49091->49060 49092->49080 49093->49080 49095 454eeb 49094->49095 49096 454f08 error_info_injector 49094->49096 49095->49096 49102 497d39 50 API calls 2 library calls 49095->49102 49096->49080 49104 4567ac 49103->49104 49105 4567a6 49103->49105 49106 4567c0 49104->49106 49111 449e50 49104->49111 49107 4550af 49105->49107 49127 460310 49105->49127 49106->49105 49161 436640 49106->49161 49107->48940 49107->48941 49112 449e88 49111->49112 49114 449ef4 49112->49114 49115 449edc 49112->49115 49119 449e93 49112->49119 49113 4abbf5 CatchGuardHandler 5 API calls 49116 44a052 49113->49116 49118 494a65 52 API calls 49114->49118 49170 494a65 49115->49170 49116->49106 49125 449f2a __Strxfrm 49118->49125 49119->49113 49120 44a027 49121 44d060 50 API calls 49120->49121 49121->49119 49123 44a06b 49123->49120 49191 497466 52 API calls 4 library calls 49123->49191 49125->49120 49125->49123 49126 494a65 52 API calls 49125->49126 49190 451e50 50 API calls 4 library calls 49125->49190 49126->49125 49128 4604af 49127->49128 49129 46035f 49127->49129 49207 449730 50 API calls 49128->49207 49131 460379 49129->49131 49133 4603d4 49129->49133 49134 4603c4 49129->49134 49139 46038c __Strxfrm 49129->49139 49136 4abc08 std::_Facet_Register 50 API calls 49131->49136 49132 4604b4 49208 434f80 50 API calls 2 library calls 49132->49208 49137 4abc08 std::_Facet_Register 50 API calls 49133->49137 49134->49131 49134->49132 49136->49139 49137->49139 49142 460463 error_info_injector 49139->49142 49209 497d39 50 API calls 2 library calls 49139->49209 49142->49107 49162 436662 49161->49162 49163 43665a 49161->49163 49162->49105 49165 436672 49163->49165 49210 4afa0c RaiseException 49163->49210 49211 436560 50 API calls 49165->49211 49167 4366a8 49212 4afa0c RaiseException 49167->49212 49169 4366b7 std::ios_base::_Ios_base_dtor 49169->49105 49171 494a71 __FrameHandler3::FrameUnwindToState 49170->49171 49172 494a7b 49171->49172 49173 494a93 49171->49173 49200 4950d4 14 API calls __dosmaperr 49172->49200 49192 494ce8 EnterCriticalSection 49173->49192 49176 494a80 49201 497d29 50 API calls __wsopen_s 49176->49201 49177 494a9e 49179 498cea __fread_nolock 50 API calls 49177->49179 49182 494ab6 49177->49182 49179->49182 49180 494b1e 49202 4950d4 14 API calls __dosmaperr 49180->49202 49181 494b46 49193 494a29 49181->49193 49182->49180 49182->49181 49185 494b4c 49204 494b76 LeaveCriticalSection __fread_nolock 49185->49204 49186 494b23 49203 497d29 50 API calls __wsopen_s 49186->49203 49189 494a8b 49189->49119 49190->49125 49191->49123 49192->49177 49194 494a35 49193->49194 49197 494a4a __fread_nolock 49193->49197 49205 4950d4 14 API calls __dosmaperr 49194->49205 49196 494a3a 49206 497d29 50 API calls __wsopen_s 49196->49206 49197->49185 49199 494a45 49199->49185 49200->49176 49201->49189 49202->49186 49203->49189 49204->49189 49205->49196 49206->49199 49208->49139 49210->49165 49211->49167 49212->49169 49214 44bafc 49213->49214 49215 44bbae 49214->49215 49219 44bb0d 49214->49219 49216 4350b0 50 API calls 49215->49216 49217 44bbb3 49216->49217 49253 434f80 50 API calls 2 library calls 49217->49253 49221 44bb82 49219->49221 49222 44bb79 49219->49222 49223 44bb12 __Strxfrm 49219->49223 49226 44bb3a 49219->49226 49220 4abc08 std::_Facet_Register 50 API calls 49224 44bb4d 49220->49224 49227 4abc08 std::_Facet_Register 50 API calls 49221->49227 49222->49217 49222->49226 49223->48959 49224->49223 49254 497d39 50 API calls 2 library calls 49224->49254 49226->49220 49227->49223 49230 44cc1d 49229->49230 49231 44cabf 49229->49231 49232 44cc2b 49230->49232 49246 44cacb 49230->49246 49231->49230 49233 44cb35 49231->49233 49234 44cac6 49231->49234 49235 44cacd 49231->49235 49236 44cb8d 49231->49236 49231->49246 49256 44ba90 49232->49256 49239 4abc08 std::_Facet_Register 50 API calls 49233->49239 49255 451310 50 API calls 2 library calls 49234->49255 49242 4abc08 std::_Facet_Register 50 API calls 49235->49242 49241 4abc08 std::_Facet_Register 50 API calls 49236->49241 49237 4abbf5 CatchGuardHandler 5 API calls 49243 44cb2c 49237->49243 49245 44cb44 49239->49245 49241->49246 49242->49246 49243->48961 49248 4517f0 50 API calls 49245->49248 49246->49237 49248->49246 49249 44cc4c 49261 4afa0c RaiseException 49249->49261 49251 44cc5d 49253->49224 49255->49246 49257 44bab3 49256->49257 49257->49257 49258 4517f0 50 API calls 49257->49258 49259 44bac5 49258->49259 49260 451b00 50 API calls CatchGuardHandler 49259->49260 49260->49249 49261->49251 49262->48968 49264 44b9e4 49263->49264 49265 4520f0 50 API calls 49264->49265 49266 44b9f4 __Strxfrm 49264->49266 49267 44ba36 49265->49267 49266->48971 49267->48971 49269 452238 49268->49269 49273 45211b 49268->49273 49270 4350b0 50 API calls 49269->49270 49271 45223d 49270->49271 49304 434f80 50 API calls 2 library calls 49271->49304 49274 452181 49273->49274 49275 45218e 49273->49275 49278 452130 49273->49278 49280 452140 __Strxfrm 49273->49280 49274->49271 49274->49278 49279 4abc08 std::_Facet_Register 50 API calls 49275->49279 49276 4abc08 std::_Facet_Register 50 API calls 49276->49280 49278->49276 49279->49280 49282 4521f6 error_info_injector __Strxfrm 49280->49282 49305 497d39 50 API calls 2 library calls 49280->49305 49282->48967 49283->48978 49285 4517da 49284->49285 49289 4516f5 49284->49289 49286 4350b0 50 API calls 49285->49286 49287 4517df 49286->49287 49306 434f80 50 API calls 2 library calls 49287->49306 49291 451763 49289->49291 49292 45175a 49289->49292 49296 451709 49289->49296 49298 451719 __Strxfrm 49289->49298 49290 4abc08 std::_Facet_Register 50 API calls 49290->49298 49293 4abc08 std::_Facet_Register 50 API calls 49291->49293 49292->49287 49292->49296 49293->49298 49295 4517aa error_info_injector __Strxfrm 49295->48980 49296->49290 49298->49295 49307 497d39 50 API calls 2 library calls 49298->49307 49300 44b970 49299->49300 49300->49300 49301 44b987 __Strxfrm 49300->49301 49302 4520f0 50 API calls 49300->49302 49301->48988 49303 44b9be 49302->49303 49303->48988 49304->49280 49306->49298 49368 4350c0 49308->49368 49311 4350c0 50 API calls 49312 438b7d 49311->49312 49313 438bce 49312->49313 49314 4516d0 50 API calls 49312->49314 49315 4520f0 50 API calls 49313->49315 49316 438bdd __Strxfrm 49313->49316 49314->49313 49315->49316 49317 44b9d0 50 API calls 49316->49317 49318 438c20 49317->49318 49319 4520f0 50 API calls 49318->49319 49320 438c2f __Strxfrm 49318->49320 49319->49320 49321 44b9d0 50 API calls 49320->49321 49322 438c74 49321->49322 49323 44d060 50 API calls 49322->49323 49324 438c9b 49323->49324 49325 44d060 50 API calls 49324->49325 49326 438ca7 49325->49326 49326->49007 49328 4387e1 49327->49328 49329 438869 49328->49329 49330 4517f0 50 API calls 49328->49330 49331 4388f8 49329->49331 49332 4516d0 50 API calls 49329->49332 49330->49329 49333 43890c __Strxfrm 49331->49333 49334 4520f0 50 API calls 49331->49334 49332->49331 49335 44b9d0 50 API calls 49333->49335 49334->49333 49336 43893d 49335->49336 49337 438947 49336->49337 49374 451e50 50 API calls 4 library calls 49336->49374 49339 44b9d0 50 API calls 49337->49339 49340 438977 49339->49340 49341 438986 49340->49341 49342 4520f0 50 API calls 49340->49342 49343 44d060 50 API calls 49341->49343 49342->49341 49344 4389dd 49343->49344 49345 4abbf5 CatchGuardHandler 5 API calls 49344->49345 49346 4389f6 49345->49346 49347 4582b0 49346->49347 49348 458351 49347->49348 49349 458341 49347->49349 49351 44b9d0 50 API calls 49348->49351 49350 4516d0 50 API calls 49349->49350 49350->49348 49352 45835e 49351->49352 49353 44b960 50 API calls 49352->49353 49354 45836a 49353->49354 49355 44b9d0 50 API calls 49354->49355 49356 458374 49355->49356 49357 44b960 50 API calls 49356->49357 49358 458380 49357->49358 49359 44b9d0 50 API calls 49358->49359 49360 45838a 49359->49360 49361 44b9d0 50 API calls 49360->49361 49362 458394 49361->49362 49362->49013 49364 4ad3de ___std_exception_copy 50 API calls 49363->49364 49365 43874a 49364->49365 49366 4abbf5 CatchGuardHandler 5 API calls 49365->49366 49367 438777 49366->49367 49367->49023 49369 435106 49368->49369 49369->49369 49370 435148 49369->49370 49371 4517f0 50 API calls 49369->49371 49372 4abbf5 CatchGuardHandler 5 API calls 49370->49372 49371->49370 49373 4351a4 49372->49373 49373->49311 49374->49337 49375->49032 49376->49032 49377->49039 49378->49041 49380 4ad44e 49379->49380 49381 438d9b 49379->49381 49382 497357 std::locale::_Locimp::~_Locimp 14 API calls 49380->49382 49381->49045 49382->49381 49384 455e8e 49385 456790 52 API calls 49384->49385 49386 455e95 49385->49386 49387 456045 49386->49387 49388 455f97 49386->49388 49389 455fd1 49386->49389 49390 455f23 49386->49390 49391 455f5d 49386->49391 49392 455eaf 49386->49392 49393 45607f 49386->49393 49394 455ee9 49386->49394 49395 45600b 49386->49395 49411 455e51 49386->49411 49408 455e4a 49387->49408 49441 451e50 50 API calls 4 library calls 49387->49441 49388->49408 49438 451e50 50 API calls 4 library calls 49388->49438 49389->49408 49439 451e50 50 API calls 4 library calls 49389->49439 49390->49408 49436 451e50 50 API calls 4 library calls 49390->49436 49391->49408 49437 451e50 50 API calls 4 library calls 49391->49437 49392->49408 49434 451e50 50 API calls 4 library calls 49392->49434 49442 456920 52 API calls CatchGuardHandler 49393->49442 49394->49408 49435 451e50 50 API calls 4 library calls 49394->49435 49395->49408 49440 451e50 50 API calls 4 library calls 49395->49440 49396 4abbf5 CatchGuardHandler 5 API calls 49399 456432 49396->49399 49407 456086 49410 456790 52 API calls 49407->49410 49407->49411 49431 4560c7 49407->49431 49409 456790 52 API calls 49408->49409 49409->49411 49412 4560a7 49410->49412 49411->49396 49412->49411 49417 456790 52 API calls 49412->49417 49413 45611c 49416 456131 49413->49416 49418 456180 49413->49418 49419 456159 49413->49419 49414 45610f 49444 456740 50 API calls 49414->49444 49450 456740 50 API calls 49416->49450 49420 4560b7 49417->49420 49448 456740 50 API calls 49418->49448 49445 456740 50 API calls 49419->49445 49420->49411 49443 456920 52 API calls CatchGuardHandler 49420->49443 49424 4561b0 49451 456740 50 API calls 49424->49451 49425 456167 49446 456740 50 API calls 49425->49446 49426 45618e 49449 456740 50 API calls 49426->49449 49431->49411 49431->49413 49431->49414 49432 456171 49447 456740 50 API calls 49432->49447 49434->49408 49435->49408 49436->49408 49437->49408 49438->49408 49439->49408 49440->49408 49441->49408 49442->49407 49443->49431 49444->49408 49445->49425 49446->49432 49447->49408 49448->49426 49449->49416 49450->49424 49451->49408 49452 48d6e6 49453 48d6ff 49452->49453 49472 48d6f3 49452->49472 49454 48d709 49453->49454 49468 48d898 49453->49468 49471 48d742 49454->49471 49497 44b8f0 49454->49497 49455 4abbf5 CatchGuardHandler 5 API calls 49457 48e0d0 49455->49457 49456 48d915 49460 48e1c0 55 API calls 49456->49460 49459 48e1c0 55 API calls 49459->49468 49461 48d92a 49460->49461 49463 48d6a0 5 API calls 49461->49463 49462 48d7fa 49466 48e1c0 55 API calls 49462->49466 49463->49472 49464 48d6a0 5 API calls 49464->49468 49467 48d83e 49466->49467 49469 48d6a0 5 API calls 49467->49469 49468->49456 49468->49459 49468->49464 49469->49472 49471->49462 49473 48e1c0 49471->49473 49493 48d6a0 49471->49493 49472->49455 49475 48e212 49473->49475 49483 48e3fa 49473->49483 49474 48e47a 49516 48e550 50 API calls 49474->49516 49475->49474 49482 48e3f4 49475->49482 49503 48e0dc 49475->49503 49508 48e110 49475->49508 49513 434bc0 55 API calls 49475->49513 49478 48e485 49479 4350c0 50 API calls 49478->49479 49480 48e499 49479->49480 49517 48ef40 50 API calls 49480->49517 49482->49483 49514 48e550 50 API calls 49482->49514 49483->49471 49484 48e474 49518 4511a0 50 API calls CatchGuardHandler 49484->49518 49487 48e464 49515 48f020 50 API calls 49487->49515 49488 48e4c0 49519 4afa0c RaiseException 49488->49519 49494 48d6df 49493->49494 49495 4abbf5 CatchGuardHandler 5 API calls 49494->49495 49496 48e0d0 49495->49496 49496->49471 49498 44b8fe 49497->49498 49499 44b912 49497->49499 49498->49471 49502 44b920 __fread_nolock 49499->49502 49520 451f90 49499->49520 49501 44b953 49501->49471 49502->49471 49504 48e103 49503->49504 49507 48e129 __Strxfrm 49503->49507 49505 4520f0 50 API calls 49504->49505 49504->49507 49506 48e15d 49505->49506 49506->49475 49507->49475 49509 48e150 49508->49509 49512 48e129 __Strxfrm 49508->49512 49510 4520f0 50 API calls 49509->49510 49511 48e15d 49510->49511 49511->49475 49512->49475 49513->49475 49514->49487 49515->49484 49516->49478 49517->49484 49518->49488 49521 451fb5 49520->49521 49522 4520d9 49520->49522 49523 451fca 49521->49523 49528 452028 49521->49528 49529 45201b 49521->49529 49533 451fda __fread_nolock __Strxfrm 49521->49533 49524 4350b0 50 API calls 49522->49524 49527 4abc08 std::_Facet_Register 50 API calls 49523->49527 49525 4520de 49524->49525 49535 434f80 50 API calls 2 library calls 49525->49535 49527->49533 49530 4abc08 std::_Facet_Register 50 API calls 49528->49530 49529->49523 49529->49525 49530->49533 49534 452097 __fread_nolock error_info_injector __Strxfrm 49533->49534 49536 497d39 50 API calls 2 library calls 49533->49536 49534->49501 49535->49533 49537 48d95a 49538 48d96a 49537->49538 49539 48d976 49537->49539 49541 4abbf5 CatchGuardHandler 5 API calls 49538->49541 49540 48d980 49539->49540 49548 48daad 49539->49548 49545 44b8f0 50 API calls 49540->49545 49549 48d9b9 49540->49549 49543 48e0d0 49541->49543 49542 48daf5 49547 48d6a0 5 API calls 49542->49547 49544 48d6a0 5 API calls 49544->49548 49545->49549 49546 48da31 49550 48d6a0 5 API calls 49546->49550 49547->49538 49548->49542 49548->49544 49549->49546 49551 48d6a0 5 API calls 49549->49551 49550->49538 49551->49549 49552 49865a 49553 49866a 49552->49553 49554 49867d 49552->49554 49591 4950d4 14 API calls __dosmaperr 49553->49591 49556 49868f 49554->49556 49563 4986a2 49554->49563 49593 4950d4 14 API calls __dosmaperr 49556->49593 49557 49866f 49592 497d29 50 API calls __wsopen_s 49557->49592 49559 4986d3 49583 4a1286 49559->49583 49561 498694 49594 497d29 50 API calls __wsopen_s 49561->49594 49562 4986c2 49595 4950d4 14 API calls __dosmaperr 49562->49595 49563->49559 49563->49562 49569 4986ea 49570 4988e0 49569->49570 49603 4a06a5 49569->49603 49571 497d56 __Getcoll 11 API calls 49570->49571 49573 4988ea 49571->49573 49574 4986fc 49574->49570 49610 4a06d1 49574->49610 49576 49870e 49576->49570 49577 498717 49576->49577 49578 49879c 49577->49578 49579 498738 49577->49579 49582 498679 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 49578->49582 49618 4a12e3 50 API calls 2 library calls 49578->49618 49579->49582 49617 4a12e3 50 API calls 2 library calls 49579->49617 49584 4a1292 __FrameHandler3::FrameUnwindToState 49583->49584 49585 4986d8 49584->49585 49619 49b2e1 EnterCriticalSection 49584->49619 49596 4a0679 49585->49596 49587 4a12a3 49588 4a12b7 49587->49588 49620 4a11ce 49587->49620 49632 4a12da LeaveCriticalSection std::_Lockit::~_Lockit 49588->49632 49591->49557 49592->49582 49593->49561 49594->49582 49595->49582 49597 4a069a 49596->49597 49598 4a0685 49596->49598 49597->49569 49746 4950d4 14 API calls __dosmaperr 49598->49746 49600 4a068a 49747 497d29 50 API calls __wsopen_s 49600->49747 49602 4a0695 49602->49569 49604 4a06b1 49603->49604 49605 4a06c6 49603->49605 49748 4950d4 14 API calls __dosmaperr 49604->49748 49605->49574 49607 4a06b6 49749 497d29 50 API calls __wsopen_s 49607->49749 49609 4a06c1 49609->49574 49611 4a06dd 49610->49611 49612 4a06f2 49610->49612 49750 4950d4 14 API calls __dosmaperr 49611->49750 49612->49576 49614 4a06e2 49751 497d29 50 API calls __wsopen_s 49614->49751 49616 4a06ed 49616->49576 49617->49582 49618->49582 49619->49587 49633 4a0d24 49620->49633 49623 4a122a 49702 4a1074 49623->49702 49624 4a1221 49642 4a0de2 49624->49642 49627 4a1227 49628 49c0bd ___free_lconv_mon 14 API calls 49627->49628 49629 4a1235 49628->49629 49630 4abbf5 CatchGuardHandler 5 API calls 49629->49630 49631 4a1242 49630->49631 49631->49588 49632->49585 49634 4a0d43 _strftime 49633->49634 49635 49d15a _strftime 15 API calls 49634->49635 49639 4a0d4a 49634->49639 49638 4a0d64 _strftime 49635->49638 49636 4a0d6b 49637 49c0bd ___free_lconv_mon 14 API calls 49636->49637 49637->49639 49638->49636 49640 4a0d8d 49638->49640 49639->49623 49639->49624 49641 49c0bd ___free_lconv_mon 14 API calls 49640->49641 49641->49639 49643 4a0df2 _strftime 49642->49643 49644 4a06d1 _strftime 50 API calls 49643->49644 49645 4a0e13 49644->49645 49646 4a1067 49645->49646 49648 4a0679 _strftime 50 API calls 49645->49648 49647 497d56 __Getcoll 11 API calls 49646->49647 49649 4a1073 _strftime 49647->49649 49650 4a0e25 49648->49650 49654 4a06d1 _strftime 50 API calls 49649->49654 49650->49646 49651 49d15a _strftime 15 API calls 49650->49651 49652 4a0e9b 49650->49652 49653 4a0e8c 49651->49653 49652->49627 49655 4a0e93 49653->49655 49656 4a0ea1 49653->49656 49657 4a10a1 49654->49657 49658 49c0bd ___free_lconv_mon 14 API calls 49655->49658 49660 49c0bd ___free_lconv_mon 14 API calls 49656->49660 49659 4a11c3 49657->49659 49661 4a0679 _strftime 50 API calls 49657->49661 49658->49652 49663 497d56 __Getcoll 11 API calls 49659->49663 49662 4a0eac 49660->49662 49664 4a10b3 49661->49664 49734 4a4e67 50 API calls 2 library calls 49662->49734 49665 4a11cd 49663->49665 49664->49659 49668 4a06a5 _strftime 50 API calls 49664->49668 49667 4a0d24 _strftime 15 API calls 49665->49667 49670 4a1207 49667->49670 49671 4a10c5 49668->49671 49669 4a0ed3 49669->49646 49683 4a0ede __fread_nolock 49669->49683 49672 4a122a 49670->49672 49675 4a1221 49670->49675 49671->49659 49673 4a10ce 49671->49673 49676 4a1074 _strftime 55 API calls 49672->49676 49674 49c0bd ___free_lconv_mon 14 API calls 49673->49674 49677 4a10d9 GetTimeZoneInformation 49674->49677 49678 4a0de2 _strftime 55 API calls 49675->49678 49679 4a1227 49676->49679 49686 4a119d _strftime 49677->49686 49688 4a10f5 __fread_nolock 49677->49688 49678->49679 49680 49c0bd ___free_lconv_mon 14 API calls 49679->49680 49681 4a1235 49680->49681 49682 4abbf5 CatchGuardHandler 5 API calls 49681->49682 49684 4a1242 49682->49684 49735 4a0d9b 56 API calls 6 library calls 49683->49735 49684->49627 49686->49627 49687 4a0f23 49736 4949e3 51 API calls 2 library calls 49687->49736 49740 4a3e20 50 API calls 2 library calls 49688->49740 49691 4a1178 49741 4a1244 56 API calls 4 library calls 49691->49741 49693 4a1189 49742 4a1244 56 API calls 4 library calls 49693->49742 49695 4a0f57 49696 4a0fe9 49695->49696 49737 4949e3 51 API calls 2 library calls 49695->49737 49699 4a104b _strftime 49696->49699 49739 4a0d9b 56 API calls 6 library calls 49696->49739 49699->49646 49701 4a0f94 49701->49696 49738 4949e3 51 API calls 2 library calls 49701->49738 49703 4a1084 _strftime 49702->49703 49704 4a06d1 _strftime 50 API calls 49703->49704 49705 4a10a1 49704->49705 49706 4a11c3 49705->49706 49707 4a0679 _strftime 50 API calls 49705->49707 49708 497d56 __Getcoll 11 API calls 49706->49708 49709 4a10b3 49707->49709 49710 4a11cd 49708->49710 49709->49706 49712 4a06a5 _strftime 50 API calls 49709->49712 49711 4a0d24 _strftime 15 API calls 49710->49711 49713 4a1207 49711->49713 49714 4a10c5 49712->49714 49715 4a122a 49713->49715 49718 4a1221 49713->49718 49714->49706 49716 4a10ce 49714->49716 49719 4a1074 _strftime 55 API calls 49715->49719 49717 49c0bd ___free_lconv_mon 14 API calls 49716->49717 49720 4a10d9 GetTimeZoneInformation 49717->49720 49721 4a0de2 _strftime 55 API calls 49718->49721 49722 4a1227 49719->49722 49727 4a119d _strftime 49720->49727 49728 4a10f5 __fread_nolock 49720->49728 49721->49722 49723 49c0bd ___free_lconv_mon 14 API calls 49722->49723 49724 4a1235 49723->49724 49725 4abbf5 CatchGuardHandler 5 API calls 49724->49725 49726 4a1242 49725->49726 49726->49627 49727->49627 49743 4a3e20 50 API calls 2 library calls 49728->49743 49730 4a1178 49744 4a1244 56 API calls 4 library calls 49730->49744 49732 4a1189 49745 4a1244 56 API calls 4 library calls 49732->49745 49734->49669 49735->49687 49736->49695 49737->49701 49738->49696 49739->49699 49740->49691 49741->49693 49742->49686 49743->49730 49744->49732 49745->49727 49746->49600 49747->49602 49748->49607 49749->49609 49750->49614 49751->49616 49752 4ac379 49753 4ac385 __FrameHandler3::FrameUnwindToState 49752->49753 49780 4abdc3 49753->49780 49755 4ac38c 49756 4ac4df 49755->49756 49768 4ac3b6 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 49755->49768 49880 4ac6bf 4 API calls 2 library calls 49756->49880 49758 4ac4e6 49873 4a2a0e 49758->49873 49762 4ac4f4 49763 4ac3d5 49764 4ac456 49791 4ac7d4 49764->49791 49768->49763 49768->49764 49876 4a29e8 50 API calls 4 library calls 49768->49876 49781 4abdcc 49780->49781 49882 4aca4b IsProcessorFeaturePresent 49781->49882 49783 4abdd8 49883 4af9d6 10 API calls 2 library calls 49783->49883 49785 4abddd 49790 4abde1 49785->49790 49884 4ba4fc 49785->49884 49787 4abdf8 49787->49755 49790->49755 49947 4ade50 49791->49947 49794 4ac45c 49795 4ba53e 49794->49795 49949 4a3a7a 49795->49949 49797 4ba547 49799 4ac464 49797->49799 49955 4bb09f 50 API calls 49797->49955 49800 47e240 GetCurrentProcess OpenProcessToken 49799->49800 49801 47e2b4 GetTokenInformation 49800->49801 49802 47e2d8 49800->49802 49801->49802 49803 47e2f2 CloseHandle 49802->49803 49804 47e2f9 49802->49804 49803->49804 49805 47e337 49804->49805 49806 47e2fd 49804->49806 49958 48cb50 49805->49958 51083 481970 51 API calls 2 library calls 49806->51083 49809 47e308 51084 48aa80 70 API calls CatchGuardHandler 49809->51084 49812 48cb50 10 API calls 49814 47e34b 49812->49814 49813 47e316 49815 47e328 ExitProcess 49813->49815 49968 47ecc0 49814->49968 49818 44d060 50 API calls 49819 47e3fe OpenMutexA 49818->49819 49820 47e426 CreateMutexA 49819->49820 49821 47e41b ExitProcess 49819->49821 49972 479130 49820->49972 53743 4a2800 49873->53743 49876->49764 49880->49758 49881 4a29d2 50 API calls __purecall 49881->49762 49882->49783 49883->49785 49888 4bb0d0 49884->49888 49887 4af9f5 7 API calls 2 library calls 49887->49790 49889 4bb0e0 49888->49889 49890 4abdea 49888->49890 49889->49890 49893 49ae1f 49889->49893 49905 49ad6f 49889->49905 49890->49787 49890->49887 49894 49ae2b __FrameHandler3::FrameUnwindToState 49893->49894 49910 49b2e1 EnterCriticalSection 49894->49910 49896 49ae32 49911 4a2ddd 49896->49911 49901 49ae4b 49903 49ad6f 2 API calls 49901->49903 49902 49ae61 49902->49889 49904 49ae50 49903->49904 49925 49ae76 LeaveCriticalSection std::_Lockit::~_Lockit 49904->49925 49909 49ad76 49905->49909 49906 49adb9 GetStdHandle 49906->49909 49907 49ae1b 49907->49889 49908 49adcc GetFileType 49908->49909 49909->49906 49909->49907 49909->49908 49910->49896 49912 4a2de9 __FrameHandler3::FrameUnwindToState 49911->49912 49913 4a2df2 49912->49913 49914 4a2e13 49912->49914 49934 4950d4 14 API calls __dosmaperr 49913->49934 49926 49b2e1 EnterCriticalSection 49914->49926 49917 4a2df7 49935 497d29 50 API calls __wsopen_s 49917->49935 49919 4a2e4b 49936 4a2e72 LeaveCriticalSection std::_Lockit::~_Lockit 49919->49936 49920 49ae41 49920->49904 49924 49acb9 53 API calls 49920->49924 49923 4a2e1f 49923->49919 49927 4a2d2d 49923->49927 49924->49901 49925->49902 49926->49923 49937 49c6a4 49927->49937 49929 4a2d4c 49931 49c0bd ___free_lconv_mon 14 API calls 49929->49931 49930 4a2d3f 49930->49929 49944 49cd70 6 API calls std::_Locinfo::_Locinfo_ctor 49930->49944 49933 4a2da1 49931->49933 49933->49923 49934->49917 49935->49920 49936->49920 49943 49c6b1 _strftime 49937->49943 49938 49c6f1 49946 4950d4 14 API calls __dosmaperr 49938->49946 49939 49c6dc RtlAllocateHeap 49941 49c6ef 49939->49941 49939->49943 49941->49930 49943->49938 49943->49939 49945 4a6cfd EnterCriticalSection LeaveCriticalSection std::_Facet_Register 49943->49945 49944->49930 49945->49943 49946->49941 49948 4ac7e7 GetStartupInfoW 49947->49948 49948->49794 49950 4a3ab5 49949->49950 49951 4a3a83 49949->49951 49950->49797 49956 499362 50 API calls 3 library calls 49951->49956 49953 4a3aa6 49957 4a3885 60 API calls 3 library calls 49953->49957 49955->49797 49956->49953 49957->49950 49959 48cbb0 49958->49959 49959->49959 49960 48cbbb GetCurrentProcess OpenProcessToken 49959->49960 49961 48cc1d 49960->49961 49962 48cbd2 LookupPrivilegeValueW 49960->49962 49964 48cc2d CloseHandle 49961->49964 49965 48cc37 49961->49965 49962->49961 49963 48cbe9 AdjustTokenPrivileges 49962->49963 49963->49961 49964->49965 49966 4abbf5 CatchGuardHandler 5 API calls 49965->49966 49967 47e341 49966->49967 49967->49812 49969 47ed00 49968->49969 49969->49969 51087 4740f0 49969->51087 49971 47e3ec 49971->49818 51093 478d40 49972->51093 49975 4517f0 50 API calls 49976 479249 49975->49976 49977 4517f0 50 API calls 49976->49977 49978 47930d 49977->49978 49979 4517f0 50 API calls 49978->49979 49980 4793d1 49979->49980 49981 4517f0 50 API calls 49980->49981 49982 479499 49981->49982 49983 4517f0 50 API calls 49982->49983 49984 47955d 49983->49984 49985 4517f0 50 API calls 49984->49985 49986 479621 49985->49986 49987 4517f0 50 API calls 49986->49987 49988 4796e9 49987->49988 49989 4517f0 50 API calls 49988->49989 49990 4797ad 49989->49990 49991 4517f0 50 API calls 49990->49991 49992 479871 49991->49992 49993 4517f0 50 API calls 49992->49993 49994 479939 49993->49994 51118 479ec0 49994->51118 49996 47996e 51144 44d7d0 49996->51144 49998 4799a2 51159 4738e0 49998->51159 50001 44ba90 50 API calls 50002 4799ed 50001->50002 51170 44eb90 50002->51170 50009 479a38 51208 44c960 50009->51208 50010 44c960 50 API calls 50010->50009 50012 479a70 50013 44d060 50 API calls 50012->50013 50014 479a7f 50013->50014 50015 44d060 50 API calls 50014->50015 50016 479a8e 50015->50016 50017 44eb90 50 API calls 50016->50017 50018 479a9b 50017->50018 51217 479c20 50018->51217 50021 44eb90 50 API calls 50022 479ab5 50021->50022 51226 479d70 50022->51226 51083->49809 51084->49813 51088 474178 51087->51088 51091 47410a __Strxfrm 51087->51091 51092 477640 53 API calls 5 library calls 51088->51092 51090 474186 51090->49971 51091->49971 51092->51090 51094 4517f0 50 API calls 51093->51094 51096 478dc8 __Strxfrm 51094->51096 51234 44fe10 51096->51234 51098 4517f0 50 API calls 51099 478ee8 51098->51099 51100 44fe10 50 API calls 51099->51100 51101 478efd 51100->51101 51102 44d060 50 API calls 51101->51102 51103 478f0c 51102->51103 51104 4517f0 50 API calls 51103->51104 51105 478f3c 51104->51105 51106 44fe10 50 API calls 51105->51106 51107 478f51 51106->51107 51108 44d060 50 API calls 51107->51108 51113 478f60 51108->51113 51109 44d060 50 API calls 51110 4790ef 51109->51110 51111 44d060 50 API calls 51110->51111 51112 4790fe 51111->51112 51114 44d060 50 API calls 51112->51114 51113->51109 51115 47910a 51114->51115 51116 4abbf5 CatchGuardHandler 5 API calls 51115->51116 51117 479127 51116->51117 51117->49975 51119 479ef7 51118->51119 51120 479fdc 51118->51120 51121 47a0c0 51119->51121 51136 479f03 51119->51136 51122 47a062 51120->51122 51131 47a001 51120->51131 51256 449730 50 API calls 51121->51256 51132 47a094 51122->51132 51137 44d7d0 50 API calls 51122->51137 51124 47a03c 51255 47a0d0 50 API calls CatchGuardHandler 51124->51255 51126 47a0c5 51257 497d39 50 API calls 2 library calls 51126->51257 51127 44d060 50 API calls 51127->51132 51128 47a053 51128->49996 51129 479f84 error_info_injector 51239 454e60 51129->51239 51131->51124 51139 44d7d0 50 API calls 51131->51139 51132->51127 51134 47a0b1 51132->51134 51134->49996 51136->51129 51138 479f44 51136->51138 51141 44d060 50 API calls 51136->51141 51137->51122 51138->51126 51138->51129 51139->51131 51140 479fb1 51254 47a0d0 50 API calls CatchGuardHandler 51140->51254 51141->51136 51143 479fcd 51143->49996 51148 44d7ee __Strxfrm 51144->51148 51149 44d814 51144->51149 51145 44d8f4 51146 4350b0 50 API calls 51145->51146 51147 44d8f9 51146->51147 51261 434f80 50 API calls 2 library calls 51147->51261 51148->49998 51149->51145 51153 44d857 51149->51153 51154 44d88b 51149->51154 51157 44d84b __Strxfrm 51149->51157 51151 4abc08 std::_Facet_Register 50 API calls 51151->51157 51152 44d8fe 51153->51147 51153->51151 51155 4abc08 std::_Facet_Register 50 API calls 51154->51155 51155->51157 51158 44d8d6 error_info_injector 51157->51158 51260 497d39 50 API calls 2 library calls 51157->51260 51158->49998 51160 44ca70 50 API calls 51159->51160 51161 473957 51160->51161 51262 4759f0 51161->51262 51166 44d060 50 API calls 51167 4739e6 51166->51167 51168 454ec0 50 API calls 51167->51168 51169 4739f2 51168->51169 51169->50001 51171 44ebf1 51170->51171 51171->51171 51172 4517f0 50 API calls 51171->51172 51173 44ec06 51172->51173 51500 44a980 51173->51500 51176 44f070 51177 44f13c 51176->51177 51178 44f0ef 51176->51178 51531 4510c0 50 API calls 51177->51531 51179 44f10a 51178->51179 51180 44d7d0 50 API calls 51178->51180 51187 44f180 51179->51187 51180->51179 51182 44f155 51532 4511a0 50 API calls CatchGuardHandler 51182->51532 51184 44f16a 51533 4afa0c RaiseException 51184->51533 51186 44f17b 51196 44f220 51187->51196 51188 44f31c 51189 44f3e6 51188->51189 51190 44f343 51188->51190 51547 44d7c0 50 API calls 51189->51547 51193 4517f0 50 API calls 51190->51193 51195 44f362 51193->51195 51194 4517f0 50 API calls 51194->51196 51197 44f373 51195->51197 51535 45ffe0 51195->51535 51196->51188 51196->51189 51196->51194 51200 44d060 50 API calls 51196->51200 51203 44bad0 50 API calls 51196->51203 51534 458940 50 API calls 51196->51534 51199 44d060 50 API calls 51197->51199 51201 44f3ba 51199->51201 51200->51196 51202 44d060 50 API calls 51201->51202 51204 44f3c6 51202->51204 51203->51196 51206 4abbf5 CatchGuardHandler 5 API calls 51204->51206 51207 44f3df 51206->51207 51207->50009 51207->50010 51209 44c98d 51208->51209 51212 44c9d8 error_info_injector 51208->51212 51210 44c9a2 51209->51210 51211 44d060 50 API calls 51209->51211 51210->51212 51552 497d39 50 API calls 2 library calls 51210->51552 51211->51209 51212->50012 51218 479c53 51217->51218 51219 479aa2 51218->51219 51553 4510c0 50 API calls 51218->51553 51219->50021 51221 479d14 51554 4511a0 50 API calls CatchGuardHandler 51221->51554 51223 479d29 51555 4afa0c RaiseException 51223->51555 51225 479d3a 51227 479da3 51226->51227 51556 4510c0 50 API calls 51227->51556 51229 479e63 51557 4511a0 50 API calls CatchGuardHandler 51229->51557 51231 479e78 51558 4afa0c RaiseException 51231->51558 51233 479e89 51235 44b8f0 50 API calls 51234->51235 51236 44fea4 __Strxfrm 51235->51236 51237 44b8f0 50 API calls 51236->51237 51238 44ffad 51237->51238 51238->51098 51240 454eb2 51239->51240 51241 454e6d 51239->51241 51258 434f80 50 API calls 2 library calls 51240->51258 51243 454e77 51241->51243 51244 454ea5 51241->51244 51245 454e82 51241->51245 51243->51140 51246 4abc08 std::_Facet_Register 50 API calls 51244->51246 51245->51240 51248 454e89 51245->51248 51249 454eab 51246->51249 51251 4abc08 std::_Facet_Register 50 API calls 51248->51251 51249->51140 51252 454e8f 51251->51252 51253 454e98 51252->51253 51259 497d39 50 API calls 2 library calls 51252->51259 51253->51140 51254->51143 51255->51128 51258->51252 51261->51152 51263 475a5c 51262->51263 51344 494d10 51263->51344 51267 4739ba 51268 473b90 51267->51268 51269 473e7f 51268->51269 51273 473bec __fread_nolock 51268->51273 51495 476a20 55 API calls CatchGuardHandler 51269->51495 51271 473eca 51272 474190 53 API calls 51271->51272 51274 473eda 51272->51274 51492 454180 50 API calls 51273->51492 51276 474003 51274->51276 51278 4517f0 50 API calls 51274->51278 51279 474076 51276->51279 51284 44ca70 50 API calls 51276->51284 51277 473c61 51493 475df0 55 API calls CatchGuardHandler 51277->51493 51283 473f16 51278->51283 51282 4540f0 50 API calls 51279->51282 51281 473c76 51285 474190 53 API calls 51281->51285 51286 473e7a 51282->51286 51287 4543f0 55 API calls 51283->51287 51288 474029 51284->51288 51289 473c7e 51285->51289 51290 4abbf5 CatchGuardHandler 5 API calls 51286->51290 51291 473f31 51287->51291 51292 44d3b0 50 API calls 51288->51292 51293 473d96 51289->51293 51296 4517f0 50 API calls 51289->51296 51294 4739cd 51290->51294 51295 459790 50 API calls 51291->51295 51292->51279 51297 473df6 51293->51297 51298 473d9c 51293->51298 51294->51166 51299 473f5f 51295->51299 51300 473cae 51296->51300 51302 473e68 51297->51302 51308 44ca70 50 API calls 51297->51308 51301 44ca70 50 API calls 51298->51301 51303 454730 55 API calls 51299->51303 51306 4543f0 55 API calls 51300->51306 51307 473dbc 51301->51307 51494 453fe0 50 API calls 51302->51494 51304 473f7a 51303->51304 51309 473f8c 51304->51309 51310 4740c9 51304->51310 51311 473cc6 51306->51311 51315 44d3b0 50 API calls 51307->51315 51308->51307 51312 44d060 50 API calls 51309->51312 51498 44d1a0 50 API calls 51310->51498 51313 459790 50 API calls 51311->51313 51316 473f9b 51312->51316 51317 473cf4 51313->51317 51315->51302 51319 4ad441 ___std_exception_destroy 14 API calls 51316->51319 51320 454730 55 API calls 51317->51320 51318 4740d5 51499 4afa0c RaiseException 51318->51499 51322 473fc5 51319->51322 51323 473d10 51320->51323 51325 4ad441 ___std_exception_destroy 14 API calls 51322->51325 51326 4740a7 51323->51326 51327 473d22 51323->51327 51324 4740e6 51328 473fe2 51325->51328 51496 44d1a0 50 API calls 51326->51496 51330 44d060 50 API calls 51327->51330 51331 44d060 50 API calls 51328->51331 51333 473d31 51330->51333 51334 473ff4 51331->51334 51332 4740b8 51497 4afa0c RaiseException 51332->51497 51336 4ad441 ___std_exception_destroy 14 API calls 51333->51336 51338 44d060 50 API calls 51334->51338 51337 473d5b 51336->51337 51339 4ad441 ___std_exception_destroy 14 API calls 51337->51339 51338->51276 51340 473d78 51339->51340 51341 44d060 50 API calls 51340->51341 51342 473d8a 51341->51342 51343 44d060 50 API calls 51342->51343 51343->51293 51415 4992a7 GetLastError 51344->51415 51349 474190 51350 4741a9 51349->51350 51383 4741ec 51349->51383 51481 475760 50 API calls 51350->51481 51353 4741ae 51353->51383 51482 475760 50 API calls 51353->51482 51354 474243 51355 474389 51354->51355 51357 474286 51354->51357 51358 474324 51354->51358 51359 4742c2 51354->51359 51360 4742ae 51354->51360 51361 474349 51354->51361 51362 4742d6 51354->51362 51363 474375 51354->51363 51364 474272 51354->51364 51365 47435f 51354->51365 51366 47425e 51354->51366 51367 4742fb 51354->51367 51368 47429a 51354->51368 51381 4abbf5 CatchGuardHandler 5 API calls 51355->51381 51375 4abbf5 CatchGuardHandler 5 API calls 51357->51375 51489 4744f0 50 API calls 51358->51489 51382 4abbf5 CatchGuardHandler 5 API calls 51359->51382 51380 4abbf5 CatchGuardHandler 5 API calls 51360->51380 51490 474e30 50 API calls CatchGuardHandler 51361->51490 51487 4744f0 50 API calls 51362->51487 51379 4abbf5 CatchGuardHandler 5 API calls 51363->51379 51374 4abbf5 CatchGuardHandler 5 API calls 51364->51374 51491 4745a0 53 API calls 2 library calls 51365->51491 51372 4abbf5 CatchGuardHandler 5 API calls 51366->51372 51488 4744f0 50 API calls 51367->51488 51378 4abbf5 CatchGuardHandler 5 API calls 51368->51378 51369 4741bc 51377 4741d1 51369->51377 51483 475760 50 API calls 51369->51483 51388 47426e 51372->51388 51390 474282 51374->51390 51391 474296 51375->51391 51395 4abbf5 CatchGuardHandler 5 API calls 51377->51395 51394 4742aa 51378->51394 51396 474385 51379->51396 51397 4742be 51380->51397 51398 4743a0 51381->51398 51399 4742d2 51382->51399 51484 474460 50 API calls 51383->51484 51386 47421b 51386->51354 51386->51355 51485 474d00 50 API calls 51386->51485 51486 474460 50 API calls 51386->51486 51387 47433a 51403 4abbf5 CatchGuardHandler 5 API calls 51387->51403 51388->51267 51389 474350 51404 4abbf5 CatchGuardHandler 5 API calls 51389->51404 51390->51267 51391->51267 51392 474366 51405 4abbf5 CatchGuardHandler 5 API calls 51392->51405 51394->51267 51407 4741e8 51395->51407 51396->51267 51397->51267 51398->51267 51399->51267 51400 4742ec 51408 4abbf5 CatchGuardHandler 5 API calls 51400->51408 51401 474315 51409 4abbf5 CatchGuardHandler 5 API calls 51401->51409 51410 474345 51403->51410 51411 47435b 51404->51411 51412 474371 51405->51412 51406 4741ca 51406->51377 51406->51383 51407->51267 51413 4742f7 51408->51413 51414 474320 51409->51414 51410->51267 51411->51267 51412->51267 51413->51267 51414->51267 51416 4992bd 51415->51416 51417 4992c3 51415->51417 51446 49cbd8 6 API calls std::_Locinfo::_Locinfo_ctor 51416->51446 51421 4992c7 SetLastError 51417->51421 51447 49cc17 6 API calls std::_Locinfo::_Locinfo_ctor 51417->51447 51420 4992df 51420->51421 51423 49c6a4 _unexpected 14 API calls 51420->51423 51424 49935c 51421->51424 51425 494d1b 51421->51425 51426 4992f4 51423->51426 51452 498ca6 51424->51452 51442 49b0ec 51425->51442 51427 49930d 51426->51427 51428 4992fc 51426->51428 51449 49cc17 6 API calls std::_Locinfo::_Locinfo_ctor 51427->51449 51448 49cc17 6 API calls std::_Locinfo::_Locinfo_ctor 51428->51448 51433 49930a 51438 49c0bd ___free_lconv_mon 14 API calls 51433->51438 51434 499319 51435 49931d 51434->51435 51436 499334 51434->51436 51450 49cc17 6 API calls std::_Locinfo::_Locinfo_ctor 51435->51450 51451 4990d5 14 API calls _unexpected 51436->51451 51438->51421 51440 49933f 51441 49c0bd ___free_lconv_mon 14 API calls 51440->51441 51441->51421 51443 49b0ff 51442->51443 51444 475b5c 51442->51444 51443->51444 51465 4a342d 51443->51465 51444->51349 51446->51417 51447->51420 51448->51433 51449->51434 51450->51433 51451->51440 51461 4a2af6 EnterCriticalSection LeaveCriticalSection __purecall 51452->51461 51455 498cc0 IsProcessorFeaturePresent 51459 498cab 51455->51459 51457 497b2d __purecall 8 API calls 51457->51459 51459->51452 51459->51455 51459->51457 51460 499361 51459->51460 51462 4a2b3b 50 API calls 8 library calls 51459->51462 51463 4a29d2 50 API calls __purecall 51459->51463 51464 4afade 23 API calls 4 library calls 51459->51464 51461->51459 51462->51459 51463->51459 51464->51459 51466 4a3439 __FrameHandler3::FrameUnwindToState 51465->51466 51467 4992a7 _unexpected 50 API calls 51466->51467 51468 4a3442 51467->51468 51475 4a3488 51468->51475 51478 49b2e1 EnterCriticalSection 51468->51478 51470 4a3460 51479 4a34ae 14 API calls __Strcoll 51470->51479 51472 4a3471 51480 4a348d LeaveCriticalSection std::_Lockit::~_Lockit 51472->51480 51474 4a3484 51474->51475 51476 498ca6 __purecall 50 API calls 51474->51476 51475->51444 51477 4a34ad 51476->51477 51478->51470 51479->51472 51480->51474 51481->51353 51482->51369 51483->51406 51484->51386 51485->51386 51486->51386 51487->51400 51488->51401 51489->51387 51490->51389 51491->51392 51492->51277 51493->51281 51494->51286 51495->51271 51496->51332 51497->51310 51498->51318 51499->51324 51501 44a9b5 51500->51501 51502 44a9bd 51500->51502 51526 451310 50 API calls 2 library calls 51501->51526 51503 44a9c5 51502->51503 51504 44a9fe 51502->51504 51516 458110 51503->51516 51527 4513c0 50 API calls 51504->51527 51507 44a9d6 51508 44d060 50 API calls 51507->51508 51510 44a9e8 51508->51510 51510->51176 51511 44aa14 51528 4511a0 50 API calls CatchGuardHandler 51511->51528 51513 44aa26 51529 4afa0c RaiseException 51513->51529 51515 44aa37 51522 458164 51516->51522 51517 4581c4 51520 4abc08 std::_Facet_Register 50 API calls 51517->51520 51518 4582a0 51530 4351b0 50 API calls 51518->51530 51523 4581e5 51520->51523 51522->51517 51522->51518 51525 4581a4 51522->51525 51524 44ca70 50 API calls 51523->51524 51524->51525 51525->51507 51526->51502 51527->51511 51528->51513 51529->51515 51531->51182 51532->51184 51533->51186 51534->51196 51536 46004c 51535->51536 51546 460107 51535->51546 51539 454e60 50 API calls 51536->51539 51540 46008c 51539->51540 51541 4600cc 51540->51541 51548 45fb40 5 API calls CatchGuardHandler 51540->51548 51549 45fb40 5 API calls CatchGuardHandler 51541->51549 51544 4600ef 51550 45bea0 50 API calls error_info_injector 51544->51550 51546->51197 51551 449730 50 API calls 51546->51551 51548->51541 51549->51544 51550->51546 51553->51221 51554->51223 51555->51225 51556->51229 51557->51231 51558->51233 53744 4a283f 53743->53744 53745 4a282d 53743->53745 53755 4a26b0 53744->53755 53770 4a28c8 GetModuleHandleW 53745->53770 53748 4a2832 53748->53744 53771 4a2923 GetModuleHandleExW 53748->53771 53750 4a287c 53750->49881 53756 4a26bc __FrameHandler3::FrameUnwindToState 53755->53756 53777 49b2e1 EnterCriticalSection 53756->53777 53758 4a26c6 53778 4a2718 53758->53778 53760 4a26d3 53782 4a26f1 53760->53782 53763 4a2897 53815 4a290a 53763->53815 53765 4a28a1 53766 4a28b5 53765->53766 53767 4a28a5 GetCurrentProcess TerminateProcess 53765->53767 53768 4a2923 __purecall 3 API calls 53766->53768 53767->53766 53769 4a28bd ExitProcess 53768->53769 53770->53748 53772 4a2962 GetProcAddress 53771->53772 53773 4a2983 53771->53773 53772->53773 53776 4a2976 53772->53776 53774 4a2989 FreeLibrary 53773->53774 53775 4a283e 53773->53775 53774->53775 53775->53744 53776->53773 53777->53758 53779 4a2724 __FrameHandler3::FrameUnwindToState __purecall 53778->53779 53780 4a2788 __purecall 53779->53780 53785 4a8d62 53779->53785 53780->53760 53814 49b329 LeaveCriticalSection 53782->53814 53784 4a26df 53784->53750 53784->53763 53786 4a8d6e __EH_prolog3 53785->53786 53789 4a8aba 53786->53789 53788 4a8d95 __purecall 53788->53780 53790 4a8ac6 __FrameHandler3::FrameUnwindToState 53789->53790 53797 49b2e1 EnterCriticalSection 53790->53797 53792 4a8ad4 53798 4a8c72 53792->53798 53796 4a8af2 53796->53788 53797->53792 53800 4a8c91 53798->53800 53801 4a8ae1 53798->53801 53799 4a8d1f 53799->53801 53802 49c0bd ___free_lconv_mon 14 API calls 53799->53802 53800->53799 53800->53801 53805 4cee50 53800->53805 53804 4a8b09 LeaveCriticalSection std::_Lockit::~_Lockit 53801->53804 53802->53801 53804->53796 53806 44d3b0 50 API calls 53805->53806 53807 4cee99 53806->53807 53808 44cfd0 50 API calls 53807->53808 53809 4ceeb2 53808->53809 53810 44cfd0 50 API calls 53809->53810 53811 4ceecb 53810->53811 53812 44cfd0 50 API calls 53811->53812 53813 4ceeea 53812->53813 53813->53800 53814->53784 53818 4a6ed5 5 API calls __purecall 53815->53818 53817 4a290f __purecall 53817->53765 53818->53817 53819 44a0b0 53820 44a0bc 53819->53820 53821 44a0c7 53820->53821 53823 449e50 52 API calls 53820->53823 53822 44a0d4 53823->53822 53824 470ef0 53825 4385b0 62 API calls 53824->53825 53826 470f74 53825->53826 53827 4385b0 62 API calls 53826->53827 53829 4717ff 53827->53829 53828 471c5b 53830 4abbf5 CatchGuardHandler 5 API calls 53828->53830 53829->53828 53832 44e320 50 API calls 53829->53832 53831 471c72 53830->53831 53833 471873 53832->53833 53834 436ee0 56 API calls 53833->53834 53835 47188f 53834->53835 53909 4735e0 53835->53909 53838 44d060 50 API calls 53839 4718b3 53838->53839 53840 44cfd0 50 API calls 53839->53840 53841 4718d9 53840->53841 53842 481830 154 API calls 53841->53842 53843 4718e7 53842->53843 53844 471c37 53843->53844 53846 44cd00 50 API calls 53843->53846 53845 471c49 53844->53845 53847 44d060 50 API calls 53844->53847 53849 44d060 50 API calls 53845->53849 53848 471908 53846->53848 53847->53845 53850 44d3b0 50 API calls 53848->53850 53849->53828 53851 47194e 53850->53851 53852 4abc08 std::_Facet_Register 50 API calls 53851->53852 53853 471964 53852->53853 53854 44bad0 50 API calls 53853->53854 53855 471984 53854->53855 53856 4517f0 50 API calls 53855->53856 53857 4719d0 53856->53857 53858 44a980 50 API calls 53857->53858 53859 4719e0 53858->53859 53860 44d3b0 50 API calls 53859->53860 53861 471a2f 53860->53861 53861->53844 53862 471c9c 53861->53862 53863 4368a0 RaiseException 53862->53863 53864 471ca1 53863->53864 53865 44e320 50 API calls 53864->53865 53866 471d45 53865->53866 53867 436ee0 56 API calls 53866->53867 53868 471d61 53867->53868 53869 44cfd0 50 API calls 53868->53869 53870 471d88 53869->53870 53871 44eaf0 53 API calls 53870->53871 53872 472133 53871->53872 53873 437150 50 API calls 53872->53873 53874 47214e 53873->53874 53875 44cfd0 50 API calls 53874->53875 53876 472161 53875->53876 53877 44ba90 50 API calls 53876->53877 53878 472348 53877->53878 53879 45d680 53 API calls 53878->53879 53880 47238c 53879->53880 53881 437150 50 API calls 53880->53881 53882 4723c3 53881->53882 53883 481110 154 API calls 53882->53883 53884 4723d7 53883->53884 53885 44cfd0 50 API calls 53884->53885 53886 4723ea 53885->53886 53887 44cfd0 50 API calls 53886->53887 53888 4723fd 53887->53888 53913 449510 53888->53913 53891 472dc5 53894 438f80 50 API calls 53891->53894 53895 472de3 53894->53895 53897 44d060 50 API calls 53895->53897 53896 472e47 53898 4368a0 RaiseException 53896->53898 53899 472def 53897->53899 53900 472e4c 53898->53900 53901 44cfd0 50 API calls 53899->53901 53902 437c30 55 API calls 53900->53902 53903 472e02 53901->53903 53904 472e60 53902->53904 53905 44d060 50 API calls 53903->53905 53906 472e29 53905->53906 53907 4abbf5 CatchGuardHandler 5 API calls 53906->53907 53908 472e40 53907->53908 53910 47361a 53909->53910 53911 4740f0 53 API calls 53910->53911 53912 4718a1 53911->53912 53912->53838 53914 4b9258 54 API calls 53913->53914 53915 449553 53914->53915 53931 452250 53915->53931 53918 44e020 79 API calls 53919 449571 53918->53919 53956 450ce0 53919->53956 53922 4384a0 53923 4385b0 62 API calls 53922->53923 53924 4384bc 53923->53924 53925 4384dc 53924->53925 53926 4384f7 53924->53926 53928 4abbf5 CatchGuardHandler 5 API calls 53925->53928 53927 437c30 55 API calls 53926->53927 53929 438505 53927->53929 53930 4384ed 53928->53930 53930->53891 53930->53896 53932 4b8dd0 std::_Lockit::_Lockit 7 API calls 53931->53932 53933 452292 53932->53933 53934 4b8dd0 std::_Lockit::_Lockit 7 API calls 53933->53934 53938 4522dc 53933->53938 53936 4522b4 53934->53936 53935 452328 53937 4b8e28 std::_Lockit::~_Lockit 2 API calls 53935->53937 53939 4b8e28 std::_Lockit::~_Lockit 2 API calls 53936->53939 53940 45241a 53937->53940 53938->53935 53943 4abc08 std::_Facet_Register 50 API calls 53938->53943 53939->53938 53941 4abbf5 CatchGuardHandler 5 API calls 53940->53941 53942 449566 53941->53942 53942->53918 53944 452336 53943->53944 53976 436000 50 API calls 53944->53976 53946 45234e 53947 435da0 78 API calls 53946->53947 53948 45236a 53947->53948 53977 4b986f 50 API calls 2 library calls 53948->53977 53950 4523a4 53978 435e60 78 API calls 3 library calls 53950->53978 53952 4523c7 53953 44d060 50 API calls 53952->53953 53954 4523dc 53953->53954 53979 4b9226 50 API calls std::_Facet_Register 53954->53979 53957 450d2d __fread_nolock 53956->53957 53958 4abc08 std::_Facet_Register 50 API calls 53957->53958 53959 450d95 53958->53959 53980 45d5c0 53959->53980 53964 450ee7 54006 45cfd0 50 API calls 53964->54006 53965 450e63 53999 45d4e0 53965->53999 53971 450e76 53972 4540f0 50 API calls 53971->53972 53973 450ec7 53972->53973 53974 4abbf5 CatchGuardHandler 5 API calls 53973->53974 53975 44959b 53974->53975 53975->53891 53975->53922 53976->53946 53977->53950 53978->53952 53979->53935 53981 4abc08 std::_Facet_Register 50 API calls 53980->53981 53982 450e4d 53981->53982 53983 45d220 53982->53983 54007 464380 53983->54007 53986 45d28e 53988 4abc08 std::_Facet_Register 50 API calls 53986->53988 53987 450e57 53987->53964 53987->53965 53990 45d29d 53988->53990 53989 4648b0 50 API calls 53991 45d285 53989->53991 53993 4abc08 std::_Facet_Register 50 API calls 53990->53993 53992 45d4e0 50 API calls 53991->53992 53992->53986 53997 45d318 53993->53997 53994 464380 50 API calls 53994->53997 53995 4648b0 50 API calls 53995->53997 53996 4abc08 std::_Facet_Register 50 API calls 53996->53997 53997->53987 53997->53994 53997->53995 53997->53996 53998 45d4e0 50 API calls 53997->53998 53998->53997 54000 45d512 53999->54000 54001 4abc08 std::_Facet_Register 50 API calls 54000->54001 54002 450e6c 54001->54002 54003 4648b0 54002->54003 54004 4abc08 std::_Facet_Register 50 API calls 54003->54004 54005 4648dd 54004->54005 54005->53971 54008 45d26e 54007->54008 54013 464397 54007->54013 54008->53986 54008->53987 54008->53989 54009 464892 54031 45cfd0 50 API calls 54009->54031 54012 464899 54032 45cfd0 50 API calls 54012->54032 54013->54008 54013->54009 54013->54012 54015 4648b0 50 API calls 54013->54015 54016 4648a0 54013->54016 54018 46488b 54013->54018 54025 4673f0 50 API calls std::_Facet_Register 54013->54025 54026 467260 50 API calls std::_Facet_Register 54013->54026 54027 4675b0 50 API calls 54013->54027 54028 467970 50 API calls 3 library calls 54013->54028 54029 467750 50 API calls 54013->54029 54015->54013 54033 45cfd0 50 API calls 54016->54033 54030 45cfd0 50 API calls 54018->54030 54025->54013 54026->54013 54027->54013 54028->54013 54029->54013 54034 4865d0 54065 47fd70 54034->54065 54037 48689b 54088 47fb50 54037->54088 54041 48666c 54042 44e320 50 API calls 54041->54042 54046 4866cf 54042->54046 54047 44cfd0 50 API calls 54046->54047 54049 486715 GetVolumeInformationW 54047->54049 54051 44cfd0 50 API calls 54049->54051 54054 486778 __fread_nolock 54051->54054 54052 48677c 54053 4abbf5 CatchGuardHandler 5 API calls 54052->54053 54055 486894 54053->54055 54054->54052 54072 47b120 54054->54072 54060 448cc0 50 API calls 54061 48680c 54060->54061 54062 44d060 50 API calls 54061->54062 54063 48686c 54062->54063 54064 447920 50 API calls 54063->54064 54064->54052 54066 47fe28 54065->54066 54069 47fe0c 54065->54069 54066->54069 54099 451cf0 50 API calls 2 library calls 54066->54099 54071 47ff2c 54069->54071 54095 4b8517 GetCurrentDirectoryW 54069->54095 54100 451cf0 50 API calls 2 library calls 54069->54100 54071->54037 54071->54041 54073 47b168 54072->54073 54074 44c250 81 API calls 54073->54074 54075 47b182 54074->54075 54076 44d730 54 API calls 54075->54076 54077 47b1ab 54076->54077 54078 47b1e0 54077->54078 54079 47b240 54078->54079 54080 453b90 50 API calls 54079->54080 54082 47b25a 54079->54082 54080->54082 54081 436640 50 API calls 54086 47b38d 54081->54086 54084 47b2b9 54082->54084 54101 47c6c0 54082->54101 54084->54081 54085 47b3a4 54085->54060 54086->54085 54120 454fa0 50 API calls 54086->54120 54089 44ba90 50 API calls 54088->54089 54090 47fb9d 54089->54090 54123 437450 50 API calls 54090->54123 54092 47fbb5 54124 4afa0c RaiseException 54092->54124 54094 47fbc6 54096 4b852d 54095->54096 54097 4b8536 GetLastError 54095->54097 54096->54097 54098 4b8532 54096->54098 54097->54098 54098->54069 54099->54069 54100->54069 54102 4b8dd0 std::_Lockit::_Lockit 7 API calls 54101->54102 54103 47c702 54102->54103 54104 4b8dd0 std::_Lockit::_Lockit 7 API calls 54103->54104 54107 47c74c 54103->54107 54105 47c724 54104->54105 54109 4b8e28 std::_Lockit::~_Lockit 2 API calls 54105->54109 54106 4b8e28 std::_Lockit::~_Lockit 2 API calls 54108 47c863 54106->54108 54110 47c798 54107->54110 54112 4abc08 std::_Facet_Register 50 API calls 54107->54112 54111 4abbf5 CatchGuardHandler 5 API calls 54108->54111 54109->54107 54110->54106 54113 47c87d 54111->54113 54114 47c7a6 54112->54114 54113->54084 54115 435da0 78 API calls 54114->54115 54116 47c7d6 54115->54116 54121 435e60 78 API calls 3 library calls 54116->54121 54118 47c825 54122 4b9226 50 API calls std::_Facet_Register 54118->54122 54120->54085 54121->54118 54122->54110 54123->54092 54124->54094 54125 4bb697 54130 4bb3a9 54125->54130 54128 4bb6d6 54136 4bb3d7 ___vcrt_FlsGetValue 54130->54136 54131 4bb527 54135 4bb532 54131->54135 54148 4950d4 14 API calls __dosmaperr 54131->54148 54133 4bb602 54149 497d29 50 API calls __wsopen_s 54133->54149 54135->54128 54142 4bc8a4 54135->54142 54136->54131 54145 4a92c0 51 API calls 2 library calls 54136->54145 54138 4bb58f 54138->54131 54146 4a92c0 51 API calls 2 library calls 54138->54146 54140 4bb5ad 54140->54131 54147 4a92c0 51 API calls 2 library calls 54140->54147 54150 4bbeff 54142->54150 54145->54138 54146->54140 54147->54131 54148->54133 54149->54135 54151 4bbf0b __FrameHandler3::FrameUnwindToState 54150->54151 54152 4bbf12 54151->54152 54155 4bbf3d 54151->54155 54208 4950d4 14 API calls __dosmaperr 54152->54208 54154 4bbf17 54209 497d29 50 API calls __wsopen_s 54154->54209 54161 4bc57a 54155->54161 54160 4bbf21 54160->54128 54211 4bc2c8 54161->54211 54164 4bc5ac 54242 4950c1 14 API calls __dosmaperr 54164->54242 54165 4bc5c5 54228 4a2f56 54165->54228 54169 4bc5ea 54241 4bc233 CreateFileW 54169->54241 54170 4bc5d3 54244 4950c1 14 API calls __dosmaperr 54170->54244 54174 4bc5d8 54245 4950d4 14 API calls __dosmaperr 54174->54245 54175 4bc623 54177 4bc6a0 GetFileType 54175->54177 54179 4bc675 GetLastError 54175->54179 54246 4bc233 CreateFileW 54175->54246 54178 4bc6ab GetLastError 54177->54178 54182 4bc6f2 54177->54182 54248 49507a 14 API calls 2 library calls 54178->54248 54247 49507a 14 API calls 2 library calls 54179->54247 54250 4a2e9e 15 API calls 3 library calls 54182->54250 54183 4bc5b1 54243 4950d4 14 API calls __dosmaperr 54183->54243 54184 4bc6b9 CloseHandle 54184->54183 54186 4bc6e2 54184->54186 54249 4950d4 14 API calls __dosmaperr 54186->54249 54188 4bc668 54188->54177 54188->54179 54190 4bc713 54191 4bc75f 54190->54191 54251 4bc442 84 API calls 4 library calls 54190->54251 54196 4bc766 54191->54196 54253 4bbfdd 84 API calls 4 library calls 54191->54253 54192 4bc6e7 54192->54183 54195 4bc794 54195->54196 54197 4bc7a2 54195->54197 54252 49c22b 53 API calls __wsopen_s 54196->54252 54199 4bbf61 54197->54199 54200 4bc81e CloseHandle 54197->54200 54210 4bbf94 LeaveCriticalSection __wsopen_s 54199->54210 54254 4bc233 CreateFileW 54200->54254 54202 4bc849 54203 4bc853 GetLastError 54202->54203 54204 4bc87f 54202->54204 54255 49507a 14 API calls 2 library calls 54203->54255 54204->54199 54206 4bc85f 54256 4a3069 15 API calls 3 library calls 54206->54256 54208->54154 54209->54160 54210->54160 54212 4bc2e9 54211->54212 54213 4bc303 54211->54213 54212->54213 54264 4950d4 14 API calls __dosmaperr 54212->54264 54257 4bc258 54213->54257 54216 4bc33b 54219 4bc36a 54216->54219 54266 4950d4 14 API calls __dosmaperr 54216->54266 54217 4bc2f8 54265 497d29 50 API calls __wsopen_s 54217->54265 54225 4bc3bd 54219->54225 54268 4ba591 50 API calls 2 library calls 54219->54268 54222 4bc3b8 54222->54225 54226 497d56 __Getcoll 11 API calls 54222->54226 54223 4bc35f 54267 497d29 50 API calls __wsopen_s 54223->54267 54225->54164 54225->54165 54227 4bc441 54226->54227 54229 4a2f62 __FrameHandler3::FrameUnwindToState 54228->54229 54271 49b2e1 EnterCriticalSection 54229->54271 54231 4a2fb0 54272 4a3060 54231->54272 54232 4a2f8e 54235 4a2d2d __wsopen_s 15 API calls 54232->54235 54233 4a2f69 54233->54231 54233->54232 54238 4a2ffd EnterCriticalSection 54233->54238 54237 4a2f93 54235->54237 54237->54231 54275 4a2e7b EnterCriticalSection 54237->54275 54238->54231 54239 4a300a LeaveCriticalSection 54238->54239 54239->54233 54241->54175 54242->54183 54243->54199 54244->54174 54245->54183 54246->54188 54247->54183 54248->54184 54249->54192 54250->54190 54251->54191 54252->54199 54253->54195 54254->54202 54255->54206 54256->54204 54260 4bc270 54257->54260 54258 4bc28b 54258->54216 54260->54258 54269 4950d4 14 API calls __dosmaperr 54260->54269 54261 4bc2af 54270 497d29 50 API calls __wsopen_s 54261->54270 54263 4bc2ba 54263->54216 54264->54217 54265->54213 54266->54223 54267->54219 54268->54222 54269->54261 54270->54263 54271->54233 54276 49b329 LeaveCriticalSection 54272->54276 54274 4a2fd0 54274->54169 54274->54170 54275->54231 54276->54274 54277 48db16 54278 48db1e 54277->54278 54279 48e1c0 55 API calls 54278->54279 54280 48db2a 54279->54280 54281 4abbf5 CatchGuardHandler 5 API calls 54280->54281 54282 48e0d0 54281->54282

                                  Executed Functions

                                  Function 00485F00 Relevance: 31.7, APIs: 21, Instructions: 205windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00485F72
                                  • GetSystemMetrics.USER32(0000004D), ref: 00485F7C
                                  • GetSystemMetrics.USER32(0000004E), ref: 00485F86
                                  • GetSystemMetrics.USER32(0000004F), ref: 00485F90
                                  • GetDC.USER32(00000000), ref: 00485F9A
                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00485FAF
                                  • GetDeviceCaps.GDI32(?,0000000A), ref: 00485FBB
                                  • CreateCompatibleDC.GDI32(?), ref: 00485FC5
                                  • CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00485FDA
                                  • SelectObject.GDI32(?,00000000), ref: 00485FEE
                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,40CC0020), ref: 0048601D
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 0048604F
                                  • DeleteDC.GDI32(?), ref: 0048606E
                                  • ReleaseDC.USER32(00000000,?), ref: 00486077
                                  • DeleteObject.GDI32(?), ref: 00486083
                                  • IStream_Size.SHLWAPI(?,?,?), ref: 004860F5
                                  • IStream_Reset.SHLWAPI(?), ref: 00486104
                                  • IStream_Read.SHLWAPI(?,00000000,?,?), ref: 0048611E
                                  • DeleteDC.GDI32(?), ref: 00486175
                                  • ReleaseDC.USER32(00000000,?), ref: 00486183
                                  • DeleteObject.GDI32(?), ref: 0048618F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Delete$CreateMetricsObjectStream_System$CapsCompatibleDeviceRelease$BitmapCallbackDispatcherReadResetSelectSizeStreamUser
                                  • String ID:
                                  • API String ID: 2798906502-0
                                  • Opcode ID: 99dc10b740a5f021b41c68854b237c0d4245f8800150c2945631f9edaba6f951
                                  • Instruction ID: 1540f068b23de5c11a4fec01122546931e44dbb37a8a944e45ab45a1281bc334
                                  • Opcode Fuzzy Hash: 99dc10b740a5f021b41c68854b237c0d4245f8800150c2945631f9edaba6f951
                                  • Instruction Fuzzy Hash: F4812971C01218AFDB11EB64DC49BEDBBB8EF09314F1041AAE509B7291DB742E84CF99
                                  Function 00488400 Relevance: 27.7, APIs: 5, Strings: 10, Instructions: 1461COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 37 488400-488efa call 486990 call 4868b0 call 486c50 call 4863f0 call 4864e0 call 488190 call 486250 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 GlobalMemoryStatusEx call 4bcea0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 156 488f01-488f06 37->156 156->156 157 488f08-48908f call 4517f0 call 44a980 call 44d3b0 call 4517f0 call 44a980 call 485f00 156->157 170 489091 157->170 171 489093-4890ec call 44e890 call 44ed10 157->171 170->171 176 4890f0-4890f5 171->176 176->176 177 4890f7-48945b call 4517f0 call 44a980 call 44d3b0 call 44d060 * 2 call 4517f0 call 44a980 GetDesktopWindow GetWindowRect call 47fa30 * 2 call 44e220 call 48f1f0 call 44d060 * 3 call 44ed10 176->177 208 489462-489467 177->208 208->208 209 489469-489590 call 4517f0 call 44a980 call 44d3b0 call 44d060 call 4517f0 call 44a980 call 497ec8 call 4988eb call 498c76 208->209 228 489597-48959c 209->228 228->228 229 48959e-4897c4 call 4517f0 call 44ed10 call 4517f0 call 44a980 call 44d3b0 call 44d060 call 4517f0 call 44a980 call 4ade50 GetModuleFileNameA 228->229 248 4897c7-4897cc 229->248 248->248 249 4897ce-48986b call 4517f0 call 44e890 call 44ed10 248->249 256 489870-489875 249->256 256->256 257 489877-489975 call 4517f0 call 44a980 call 44d3b0 call 44d060 * 2 call 4517f0 call 44a980 call 487780 256->257 274 489979-489bdc call 44e890 call 44ed10 call 4517f0 call 44a980 call 44d3b0 call 44d060 * 2 call 4517f0 call 44a980 call 44e890 call 44ed10 257->274 275 489977 257->275 298 489be0-489be5 274->298 275->274 298->298 299 489be7-489c9a call 4517f0 call 44a980 call 44d3b0 call 44d060 298->299 308 489ca0-489dcd call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 299->308 309 489dd2-489e7d call 4517f0 call 44a980 call 44ca70 call 4517f0 call 44a980 299->309 330 489e83-489f21 call 44d3b0 call 44d060 * 7 call 4abbf5 308->330 309->330
                                  APIs
                                    • Part of subcall function 00486990: EnumDisplayDevicesW.USER32(00000000,00000000,00000348,00000001), ref: 00486A68
                                    • Part of subcall function 00486990: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000001), ref: 00486ABD
                                    • Part of subcall function 004868B0: RegGetValueA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName,00000002,00000000,?,?), ref: 00486916
                                    • Part of subcall function 004863F0: GetUserNameW.ADVAPI32(?,?), ref: 00486464
                                    • Part of subcall function 004864E0: GetComputerNameW.KERNEL32(?,?), ref: 00486554
                                    • Part of subcall function 004517F0: Concurrency::cancel_current_task.LIBCPMT ref: 004518C2
                                    • Part of subcall function 0044BAD0: Concurrency::cancel_current_task.LIBCPMT ref: 0044BBB3
                                  • GlobalMemoryStatusEx.KERNEL32(?,00000003), ref: 00488A6C
                                  • GetDesktopWindow.USER32 ref: 0048936A
                                  • GetWindowRect.USER32(00000000), ref: 00489371
                                  • _strftime.LIBCMT ref: 0048956B
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,system,00000006), ref: 0048979A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$Concurrency::cancel_current_taskDevicesDisplayEnumWindow$ComputerDesktopFileGlobalMemoryModuleRectStatusUserValue_strftime
                                  • String ID: %d-%m-%Y, %H:%M:%S$>wfw$computer_name$cpu$gpu$ram$system$time$timezone$user_name
                                  • API String ID: 3994675093-2215247992
                                  • Opcode ID: 780eb4c071b8c58362fb5c4d0a213da67d6cb8a55b1d61346fd39ba53df65c40
                                  • Instruction ID: 1ab1bce1cb2369babe93dc2c843a9f66333b387f055d73d8335e63cf3a34051b
                                  • Opcode Fuzzy Hash: 780eb4c071b8c58362fb5c4d0a213da67d6cb8a55b1d61346fd39ba53df65c40
                                  • Instruction Fuzzy Hash: FC037970C052A99BDB26DF28C8547DDBBB1AF19308F2482DEE44867242DB751F85CF92
                                  Function 0047E240 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 199synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,30B73C3E), ref: 0047E2A3
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0047E2AA
                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,00000004), ref: 0047E2CE
                                  • CloseHandle.KERNEL32(00000000), ref: 0047E2F3
                                  • ExitProcess.KERNEL32 ref: 0047E32D
                                  • OpenMutexA.KERNEL32(001F0001,00000000,?), ref: 0047E411
                                  • ExitProcess.KERNEL32 ref: 0047E420
                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0047E436
                                  • ExitProcess.KERNEL32 ref: 0047E457
                                  • ReleaseMutex.KERNEL32(00000000), ref: 0047E525
                                  • CloseHandle.KERNEL32(00000000), ref: 0047E52C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$ExitMutex$CloseHandleOpenToken$CreateCurrentInformationRelease
                                  • String ID: SeDebugPrivilege$SeImpersonatePrivilege
                                  • API String ID: 1905835197-3768118664
                                  • Opcode ID: 1304b057001cb0e859eaf618cd2e17930212c1f0f1b5904f04536edf5095bcb9
                                  • Instruction ID: e600725b129d9e3f70f3f4d3925b8df88ff981f4a24a656009bcaac003b6a44b
                                  • Opcode Fuzzy Hash: 1304b057001cb0e859eaf618cd2e17930212c1f0f1b5904f04536edf5095bcb9
                                  • Instruction Fuzzy Hash: 80817F70D01258EFDB00EFE6D9457DDBBB4EF08308F10815EE51AA7281DB785A05DB69
                                  Function 00446400 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 833libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 435 446400-44650e LoadLibraryA 436 446514-446a39 GetProcAddress * 6 435->436 437 44738b-447390 435->437 438 447385 436->438 439 446a3f-446a46 436->439 440 447392-447395 437->440 441 44739c-44739e 437->441 438->437 439->438 442 446a4c-446a53 439->442 440->441 443 4473a7-4473c4 call 4abbf5 441->443 444 4473a0-4473a1 FreeLibrary 441->444 442->438 445 446a59-446a60 442->445 444->443 445->438 449 446a66-446a68 445->449 449->438 450 446a6e-446a70 449->450 450->438 451 446a76-446a84 450->451 451->438 453 446a8a-446a95 451->453 453->438 454 446a9b-446a9d 453->454 455 446aa3-446aba 454->455 457 447366-44737f 455->457 458 446ac0-446ade 455->458 457->438 457->455 458->457 460 446ae4-446aed 458->460 461 447352-44735a 460->461 462 446af3-446b06 460->462 461->457 463 446b10-446b54 call 4abc08 462->463 467 446d5e-446d62 463->467 468 446b5a-446b5f 463->468 469 446f6e-446f9d 467->469 470 446d68-446d6d 467->470 468->467 471 446b65-446c5d call 47a340 468->471 479 4471c6-4471cd 469->479 480 446fa3-446fae 469->480 470->469 473 446d73-446e6b call 47a340 470->473 477 446c60-446c65 471->477 482 446e70-446e75 473->482 477->477 481 446c67-446d58 call 4517f0 call 44e890 call 44ed10 call 4503c0 call 44d3b0 call 44d060 * 3 477->481 483 447302-447340 call 452630 call 4abfa3 479->483 484 4471d3-4472fc call 4517f0 call 44a980 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 46b040 call 44a850 call 44d3b0 479->484 485 446fb4-446fb9 480->485 486 4471bb-4471bd 480->486 481->467 482->482 490 446e77-446f68 call 4517f0 call 44e890 call 44ed10 call 4503c0 call 44d3b0 call 44d060 * 3 482->490 483->463 508 447346-44734c 483->508 484->483 485->486 487 446fbf-4470ad call 47a340 485->487 486->479 489 4471bf 486->489 504 4470b7-4470bc 487->504 489->479 490->469 504->504 509 4470be-4471b5 call 4517f0 call 44e890 call 44ed10 call 4503c0 call 44d3b0 call 44d060 * 3 504->509 508->461 509->486
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,30B73C3E), ref: 004464FE
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0044664C
                                  • GetProcAddress.KERNEL32(?,?), ref: 0044678C
                                  • GetProcAddress.KERNEL32(?,?), ref: 00446831
                                  • GetProcAddress.KERNEL32(?,?), ref: 004468D6
                                  • GetProcAddress.KERNEL32(?,?), ref: 0044697B
                                  • GetProcAddress.KERNEL32(?,?), ref: 00446A27
                                  • FreeLibrary.KERNEL32(00000000), ref: 004473A1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Library$FreeLoad
                                  • String ID: system$vault$!F
                                  • API String ID: 2449869053-2452413646
                                  • Opcode ID: e0fea6c89a0f53085211ecf823e563bfcd2fd38e707c4234fd3e69986002ee46
                                  • Instruction ID: b3fd50756066dde9c2bcdca3b11f87412f5b17b86e41c1a20d378922be8368ac
                                  • Opcode Fuzzy Hash: e0fea6c89a0f53085211ecf823e563bfcd2fd38e707c4234fd3e69986002ee46
                                  • Instruction Fuzzy Hash: 2CA2DFB4D0426D8BDB25CFA8C884BEEBBB1BF59304F1081DAD948B7251DB385A85CF54
                                  Function 0046BCE0 Relevance: 19.0, Strings: 13, Instructions: 2783COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: #d5,$3sQ$QOP$`V[$chrome_key$content$directory_iterator::directory_iterator$exists$filename$key$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
                                  • API String ID: 0-172604419
                                  • Opcode ID: 17df5ce69d1b830cbb9f37ff71955c945b1fa03de86001ee781908370b965299
                                  • Instruction ID: 6f449b873cefd2acf2ff512572e56acebc9c82323065b3056b94c270879c015f
                                  • Opcode Fuzzy Hash: 17df5ce69d1b830cbb9f37ff71955c945b1fa03de86001ee781908370b965299
                                  • Instruction Fuzzy Hash: 0C539870D01298DBDB21DBA8C9447DDBBB0AF19314F1482DEE44967292EB381F85CF96
                                  Function 00485840 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 364networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1601 485840-485a7a 1602 485a84-485a89 1601->1602 1602->1602 1603 485a8b-485ac7 call 4517f0 InternetOpenA 1602->1603 1606 485ac9-485aeb 1603->1606 1607 485af0-485b0f 1603->1607 1608 485e01-485e2f call 44d060 call 4abbf5 1606->1608 1609 485b11 1607->1609 1610 485b13-485b37 InternetOpenUrlA 1607->1610 1609->1610 1611 485b39-485b58 1610->1611 1612 485b5d-485b87 HttpQueryInfoW 1610->1612 1615 485df4-485df8 1611->1615 1616 485b89-485ba8 1612->1616 1617 485bad-485c15 call 4ade50 HttpQueryInfoW 1612->1617 1615->1608 1619 485de9-485dee InternetCloseHandle 1616->1619 1623 485c46-485c57 InternetQueryDataAvailable 1617->1623 1624 485c17-485c2a call 4949e3 1617->1624 1619->1615 1625 485d8a-485de4 call 44d060 1623->1625 1626 485c5d-485c5f 1623->1626 1624->1623 1633 485c2c-485c40 call 4516d0 1624->1633 1625->1619 1628 485c60-485c6b 1626->1628 1631 485d81 1628->1631 1632 485c71-485ce8 call 465e90 call 4ade50 InternetReadFile 1628->1632 1635 485d84 1631->1635 1641 485cee-485cf3 1632->1641 1642 485d73-485d7f call 454ec0 1632->1642 1633->1623 1635->1625 1644 485d70 1641->1644 1645 485cf5-485d05 1641->1645 1642->1635 1644->1642 1647 485d31-485d3e call 4520f0 1645->1647 1648 485d07-485d2f call 4ad8d0 1645->1648 1652 485d43-485d63 call 454ec0 InternetQueryDataAvailable 1647->1652 1648->1652 1652->1635 1655 485d65-485d6b 1652->1655 1655->1628
                                  APIs
                                  • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00485AB8
                                  • InternetOpenUrlA.WININET(00000000,?,?,00000000,84880100,00000000), ref: 00485B23
                                  • HttpQueryInfoW.WININET(00000000,00000013,?,?,00000000), ref: 00485B7C
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00000040,00000000), ref: 00485C0D
                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 00485C4F
                                  • InternetReadFile.WININET(00000000,00000000,?,0B911A77), ref: 00485CE0
                                  • InternetCloseHandle.WININET(00000000), ref: 00485DEE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$Query$HttpInfoOpen$AvailableCloseDataFileHandleRead
                                  • String ID: dk{u
                                  • API String ID: 1359475806-1025949191
                                  • Opcode ID: 27b0cd3a0b6fc00430f0ab845b11a26261cda9ec311c293bfde6673f79c1c1f5
                                  • Instruction ID: 61ea4010c365d261526b7633df9a1f3866779007c1279ae13805143fd257e1b9
                                  • Opcode Fuzzy Hash: 27b0cd3a0b6fc00430f0ab845b11a26261cda9ec311c293bfde6673f79c1c1f5
                                  • Instruction Fuzzy Hash: 320203B0D057599BDB20CFA4C944BDDBBB5BF19304F20819AE848BB241EB746A84CF95
                                  Function 004B8545 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1656 4b8545-4b857a 1657 4b858d-4b8596 1656->1657 1658 4b857c-4b8583 1656->1658 1660 4b8598-4b859b 1657->1660 1661 4b85b0-4b85b2 1657->1661 1658->1657 1659 4b8585-4b8588 1658->1659 1665 4b87a0-4b87ae call 4abbf5 1659->1665 1660->1661 1662 4b859d-4b85a4 1660->1662 1663 4b85b8-4b85bb 1661->1663 1664 4b879e 1661->1664 1666 4b85aa-4b85ad 1662->1666 1667 4b85a6-4b85a8 1662->1667 1668 4b85c1-4b85c4 1663->1668 1669 4b86b4-4b86e1 call 4b8827 1663->1669 1664->1665 1666->1661 1667->1661 1667->1666 1672 4b85d6-4b85e5 GetFileAttributesExW 1668->1672 1673 4b85c6-4b85cc 1668->1673 1679 4b86ea-4b86ed 1669->1679 1680 4b86e3-4b86e5 1669->1680 1677 4b864d-4b8668 1672->1677 1678 4b85e7-4b85f0 GetLastError 1672->1678 1673->1672 1676 4b85ce-4b85d0 1673->1676 1676->1669 1676->1672 1682 4b866e-4b8676 1677->1682 1678->1665 1681 4b85f6-4b8607 FindFirstFileW 1678->1681 1684 4b86ef-4b8700 GetFileInformationByHandleEx 1679->1684 1685 4b875c-4b875f 1679->1685 1683 4b8794-4b879c call 4b830c 1680->1683 1686 4b8609-4b860f GetLastError 1681->1686 1687 4b8614-4b864b FindClose 1681->1687 1688 4b8678-4b867f 1682->1688 1689 4b8681-4b86a8 1682->1689 1683->1665 1694 4b870f-4b872a 1684->1694 1695 4b8702-4b870a GetLastError 1684->1695 1690 4b8789-4b878b 1685->1690 1691 4b8761-4b8772 GetFileInformationByHandleEx 1685->1691 1686->1665 1687->1682 1688->1689 1692 4b86ae 1688->1692 1689->1664 1689->1692 1697 4b878d-4b878f 1690->1697 1698 4b8791-4b8793 1690->1698 1691->1695 1696 4b8774-4b8786 1691->1696 1692->1669 1694->1685 1700 4b872c-4b8732 1694->1700 1695->1683 1696->1690 1697->1683 1698->1683 1701 4b8755 1700->1701 1702 4b8734-4b8748 GetFileInformationByHandleEx 1700->1702 1704 4b8759 1701->1704 1702->1695 1703 4b874a-4b8753 1702->1703 1703->1704 1704->1685
                                  APIs
                                  • GetFileAttributesExW.KERNEL32(000000FF,00000000,?,00000001,?,?), ref: 004B85DD
                                  • GetLastError.KERNEL32 ref: 004B85E7
                                  • FindFirstFileW.KERNEL32(000000FF,?), ref: 004B85FE
                                  • GetLastError.KERNEL32 ref: 004B8609
                                  • FindClose.KERNEL32(00000000), ref: 004B8615
                                  • ___std_fs_open_handle@16.LIBCPMT ref: 004B86CE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
                                  • String ID:
                                  • API String ID: 2340820627-0
                                  • Opcode ID: 26e86fa6e15967cd6674ed6e37e588395ab66286ab2511015f361a3ca517eeda
                                  • Instruction ID: b482ff722bd6c6e5562e69f300935f677b27db246a655513dfd80cbad8c50a56
                                  • Opcode Fuzzy Hash: 26e86fa6e15967cd6674ed6e37e588395ab66286ab2511015f361a3ca517eeda
                                  • Instruction Fuzzy Hash: 6271A174A01619AFCB60CF28DC84BEAB7B8BF15314F24466AE854E3380DF389D41CB65
                                  Function 0048CB50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1985 48cb50-48cbae 1986 48cbb0-48cbb9 1985->1986 1986->1986 1987 48cbbb-48cbd0 GetCurrentProcess OpenProcessToken 1986->1987 1988 48cc1d 1987->1988 1989 48cbd2-48cbe7 LookupPrivilegeValueW 1987->1989 1990 48cc1f-48cc2b 1988->1990 1989->1988 1991 48cbe9-48cc1b AdjustTokenPrivileges 1989->1991 1992 48cc2d-48cc34 CloseHandle 1990->1992 1993 48cc37-48cc54 call 4abbf5 1990->1993 1991->1990 1992->1993
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,30B73C3E,30B73C3E,00000000,00000000), ref: 0048CBC1
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0048CBC8
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0048CBDF
                                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 0048CC10
                                  • CloseHandle.KERNEL32(00000000), ref: 0048CC2E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 3038321057-2896544425
                                  • Opcode ID: 0de4daaceb39ec4f5814627b6f1dd40d7c5fb6c13739ccbd22e93afb17c114b7
                                  • Instruction ID: c2b5bf8999928723eaabf61e86e1a0babf1022b92d12b441156265fc3f808218
                                  • Opcode Fuzzy Hash: 0de4daaceb39ec4f5814627b6f1dd40d7c5fb6c13739ccbd22e93afb17c114b7
                                  • Instruction Fuzzy Hash: 4631A471D01208AFDB10DFA5DD85BEEBBB8EB09710F14422BE911B7280DB745A44CBB5
                                  Function 004422D0 Relevance: 10.4, Strings: 7, Instructions: 1667COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task$___std_fs_directory_iterator_advance@8
                                  • String ID: config$content$directory_iterator::directory_iterator$exists$filename$status$users
                                  • API String ID: 1444412035-815903332
                                  • Opcode ID: 318ca2c7c1d0ec5466f5f7fa8089217a923a2ba81121507c44c59a0bacf04028
                                  • Instruction ID: 69ad5e660c85d4a4c183ac21095e054d7cf3219f32a2a219316693d81515d842
                                  • Opcode Fuzzy Hash: 318ca2c7c1d0ec5466f5f7fa8089217a923a2ba81121507c44c59a0bacf04028
                                  • Instruction Fuzzy Hash: 83036670C012A8DBEB25DF68C9447EDBBB0BF19308F1481DAE44967242DB785B89CF95
                                  Function 004473D0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 301processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,30B73C3E), ref: 0044741C
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00447468
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 004475CD
                                  • CloseHandle.KERNEL32(?), ref: 004478D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID: [PID:
                                  • API String ID: 420147892-2210602247
                                  • Opcode ID: 00a4c7370ab244673b995b9020be7cd172b3c681c07cd5bca9af25658960b9f7
                                  • Instruction ID: 3632983ffbfa210010dfb9a713b5006bf5dbac80d679a8e5b8b4f374b17b9b69
                                  • Opcode Fuzzy Hash: 00a4c7370ab244673b995b9020be7cd172b3c681c07cd5bca9af25658960b9f7
                                  • Instruction Fuzzy Hash: 0AE14770D112689BDB2ADF24CC807AEBBB9BF59304F1481D9E84867251DB346F89CF45
                                  Function 00470EF0 Relevance: 8.2, Strings: 6, Instructions: 690COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ;r0'$Te=J$exists$filename$prefs.js$4So
                                  • API String ID: 0-741858243
                                  • Opcode ID: 11664829bde5b78b5a453b90576b65e8c9c4f4be2f2613c5aa62205ba5478c4c
                                  • Instruction ID: 8485e3fbea9921b25a1b00865498cb3d77a8dac2e86307723f5e7c2a487e452b
                                  • Opcode Fuzzy Hash: 11664829bde5b78b5a453b90576b65e8c9c4f4be2f2613c5aa62205ba5478c4c
                                  • Instruction Fuzzy Hash: F182EFB0D052689FDB65CF68C985BDDBBB0AF19304F1082EAE84CA7251EB341B85CF55
                                  Function 0043E4F0 Relevance: 7.5, Strings: 5, Instructions: 1249COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task___std_fs_convert_wide_to_narrow@20
                                  • String ID: content$directory_iterator::directory_iterator$exists$filename$status
                                  • API String ID: 2353561611-3429737954
                                  • Opcode ID: 7405bf85bba606f5aa6e5f11bda1af194d4c4d3f657d06d7efc73589d2298c94
                                  • Instruction ID: 45a97de4b3c177a88e72af5189b64a28b2304548a2ed9d28553215762f3f74ee
                                  • Opcode Fuzzy Hash: 7405bf85bba606f5aa6e5f11bda1af194d4c4d3f657d06d7efc73589d2298c94
                                  • Instruction Fuzzy Hash: DBD24770D05268DBDB22DF68C8547DDBBB0AF19304F1482DAE44867282DB785F89CF95
                                  Function 004402D0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 333fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004403C0
                                  • FindNextFileW.KERNELBASE(00000000,?), ref: 004406F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNext
                                  • String ID: content$filename
                                  • API String ID: 1690352074-474635906
                                  • Opcode ID: 3df7f202a6b99253f354de22ded639a46978a58fefe962044121c03344fab8ef
                                  • Instruction ID: 3fd07a7a2c97014430c74f1e6d5836f1a3ad12268408335d8deab24a75892f91
                                  • Opcode Fuzzy Hash: 3df7f202a6b99253f354de22ded639a46978a58fefe962044121c03344fab8ef
                                  • Instruction Fuzzy Hash: 2BD1D430D01249DBEB15EB64CD457EEBBB4AF21308F1440AEE505A7292DB785F48CB96
                                  Function 0043C970 Relevance: 6.9, Strings: 5, Instructions: 699COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: content$directory_iterator::directory_iterator$exists$filename$status
                                  • API String ID: 0-3429737954
                                  • Opcode ID: 0f0324d2262f6727271b1798928450f2e50f2587d7e5877d9cda94f309b22af2
                                  • Instruction ID: 4f0253fa2b569f3355fb29b5c5a77bd21c490a3de55638da9b673f05fe568e9e
                                  • Opcode Fuzzy Hash: 0f0324d2262f6727271b1798928450f2e50f2587d7e5877d9cda94f309b22af2
                                  • Instruction Fuzzy Hash: 137234B0D05268CBDB25CFA8C8817EEBBB1BF19304F14819AD849B7341DB785A85CF95
                                  Function 00459A06 Relevance: 6.8, Strings: 5, Instructions: 541COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: R$array$object$object key$object separator
                                  • API String ID: 0-4025529536
                                  • Opcode ID: c2ea74c46638cb6805419194197d9cd192a644bc36a2140f7da50fef402dd0ab
                                  • Instruction ID: a821d995b12610201d621210502fbeceba3941e2954cbb2726e101dc0738d9ca
                                  • Opcode Fuzzy Hash: c2ea74c46638cb6805419194197d9cd192a644bc36a2140f7da50fef402dd0ab
                                  • Instruction Fuzzy Hash: C322CB70D0035CDFDB14DBA8C855BEEBBB4AF15305F10455EE806A7282EB786A4CCB95
                                  Function 00485350 Relevance: 6.3, APIs: 4, Instructions: 316networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(?,00002000,00000000), ref: 004854A4
                                  • recv.WS2_32(?,00000001,00000000), ref: 004857E2
                                  • closesocket.WS2_32(00000200), ref: 004857EE
                                  • WSACleanup.WS2_32 ref: 004857F4
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: recv$Cleanupclosesocket
                                  • String ID:
                                  • API String ID: 146070474-0
                                  • Opcode ID: 9e36abc3380925dd93690334c8facdcdb208839f31d4ee637cc8ac082e786f44
                                  • Instruction ID: ea48c0c3f42896101b1dfecbe024c21eb3956ad5c3a4809403442742827d540a
                                  • Opcode Fuzzy Hash: 9e36abc3380925dd93690334c8facdcdb208839f31d4ee637cc8ac082e786f44
                                  • Instruction Fuzzy Hash: 4CE19C70D01298DEDB14EB64CC49BDEBBB2BF14308F1041DAE449AB292DB745E88DF95
                                  Function 00487780 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 515timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,30B73C3E,00000000,000000BF), ref: 00487C87
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationTimeZone
                                  • String ID: @Zb=$[UTC
                                  • API String ID: 565725191-730387550
                                  • Opcode ID: ecc325c629874c76bfafec243e908c12f8c02a0cf1ea070a0f793f87ea8e073d
                                  • Instruction ID: 6d71337f0f8cf227c7c56c381cd8fae4285dcd83216f0cb77706b7edbf0b928b
                                  • Opcode Fuzzy Hash: ecc325c629874c76bfafec243e908c12f8c02a0cf1ea070a0f793f87ea8e073d
                                  • Instruction Fuzzy Hash: E0520270D052688BDB25CF28CC947DDBBB1BF59304F1082DAD949AB281DB756B85CF84
                                  Function 0043BF70 Relevance: 5.6, Strings: 4, Instructions: 612COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: content$directory_iterator::directory_iterator$exists$filename
                                  • API String ID: 118556049-1400943384
                                  • Opcode ID: f5691b255ea6dbc5edbd5c9a2dd3daa32d7e1fdddb1a19eceb15310520a34560
                                  • Instruction ID: f0d25c64484c1e08d98ca61568cc243e7f3e3728f1e912629745c9d05fd4e174
                                  • Opcode Fuzzy Hash: f5691b255ea6dbc5edbd5c9a2dd3daa32d7e1fdddb1a19eceb15310520a34560
                                  • Instruction Fuzzy Hash: F26234B0D01268CBDB25DFA8C9817EDBBB0BF19304F14829AD84977342DB785A85CF95
                                  Function 004A1074 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0049C0BD: RtlFreeHeap.NTDLL(00000000,00000000,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0D3
                                    • Part of subcall function 0049C0BD: GetLastError.KERNEL32(?,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0DE
                                  • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004A1227,00000000,00000000,00000000), ref: 004A10E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFreeHeapInformationLastTimeZone
                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                  • API String ID: 3335090040-239921721
                                  • Opcode ID: ad663869331fc52042eea7bfe790139a2e80b582501180bae3c234ee24cd9100
                                  • Instruction ID: 53762b2ebd1cb462dfa51e434dc7c6f7f2cc61e8d19f93444a713380c049c16d
                                  • Opcode Fuzzy Hash: ad663869331fc52042eea7bfe790139a2e80b582501180bae3c234ee24cd9100
                                  • Instruction Fuzzy Hash: 73410871C00224ABDB10AF76DC45A9F7BB8EF6A754F10415BF510EB2A1E7349D04DB98
                                  Function 004B84C0 Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNEL32(000000FF,?,004B84EE,00000001,?,?,00437D69,?,004BDC4D,00000001,?,?,?,30B73C3E,00000001), ref: 004B84CC
                                  • FindFirstFileExW.KERNEL32(000000FF,00000001,30B73C3E,00000000,00000000,00000000,00000001,00000001,?,?,004B84EE,00000001,?,?,00437D69,?), ref: 004B84FB
                                  • GetLastError.KERNEL32(?,004B84EE,00000001,?,?,00437D69,?,004BDC4D,00000001,?,?,?,30B73C3E,00000001), ref: 004B850D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseErrorFileFirstLast
                                  • String ID:
                                  • API String ID: 4020440971-0
                                  • Opcode ID: 6891505d0e316c560b8af891ce29886cce9dd01a211028f8c8b4780eaf2fe176
                                  • Instruction ID: a5a0d7868366c0cca89b591e166bcddb9b03d08ebbd2c2fb18ba3c3c76c3338f
                                  • Opcode Fuzzy Hash: 6891505d0e316c560b8af891ce29886cce9dd01a211028f8c8b4780eaf2fe176
                                  • Instruction Fuzzy Hash: 0AF03071001109BFDB216FA4EC08AAA7B9DEB14360B10862ABD28C55A0EA359961DB79
                                  Function 004479C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 647COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00487290: RegOpenKeyExA.KERNEL32(80000001,0047F265,00000000,00020019,00000000,30B73C3E,?,0051C288), ref: 0048735B
                                    • Part of subcall function 00487290: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00487397
                                    • Part of subcall function 004870B0: RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,30B73C3E,0051C570,0051C2A0), ref: 00487182
                                    • Part of subcall function 004870B0: RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 004871B6
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004487A3
                                    • Part of subcall function 004870B0: RegCloseKey.ADVAPI32(00000000), ref: 00487260
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Open$CloseEnumIos_base_dtorQueryValuestd::ios_base::_
                                  • String ID: 0hC
                                  • API String ID: 3553622603-2581318919
                                  • Opcode ID: d67952ad296be641604341227b5bd81adf4ff3c928ca5be23fbad6f8090b2740
                                  • Instruction ID: d381e0b8d15ce89c3a027b92e8a5ae116750b180a2e65f5cba22683de7249f8f
                                  • Opcode Fuzzy Hash: d67952ad296be641604341227b5bd81adf4ff3c928ca5be23fbad6f8090b2740
                                  • Instruction Fuzzy Hash: EA82CEB4E152688FEB25CF18C8957DDBBB0BF5A304F5082DAD98DA7241DB305A85CF81
                                  Function 0047A610 Relevance: 3.1, APIs: 2, Instructions: 119encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0047A678
                                  • LocalFree.KERNEL32(?,00000000), ref: 0047A70F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CryptDataFreeLocalUnprotect
                                  • String ID:
                                  • API String ID: 1561624719-0
                                  • Opcode ID: 23f8f3dfd76d3946956684746ccb5c99c2b1de592e134c678ee3552ffd4f36d7
                                  • Instruction ID: 0fc5e8941a16b16f9458543aa06cdc6e77fe0ca1878954e15eaf8ff6be4b297f
                                  • Opcode Fuzzy Hash: 23f8f3dfd76d3946956684746ccb5c99c2b1de592e134c678ee3552ffd4f36d7
                                  • Instruction Fuzzy Hash: 86518B70C00249EBEB00DFA5D845BDEFBB4FF54708F14821AE81477281D7B96A98CBA5
                                  Function 0046EB70 Relevance: 2.3, Strings: 1, Instructions: 1019COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: i`[
                                  • API String ID: 0-627998571
                                  • Opcode ID: e3a410a9e3ca53c342af7cc7fde5a733c932cb315480ea9a7238ac1123cd91a2
                                  • Instruction ID: f409668d1dcd92952583ea64716c6161a23bbeab54c2797513d5a6ff86e8a7fe
                                  • Opcode Fuzzy Hash: e3a410a9e3ca53c342af7cc7fde5a733c932cb315480ea9a7238ac1123cd91a2
                                  • Instruction Fuzzy Hash: 68D29DB4D0436C8ADB25CF99D8957DCFBB2BF49304F00819AD959AB345EB341A8ACF44
                                  Function 00487550 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLogicalDriveStringsW.KERNEL32(00000104,?,30B73C3E), ref: 00487605
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DriveLogicalStrings
                                  • String ID:
                                  • API String ID: 2022863570-0
                                  • Opcode ID: af7986355f76353f56621d05ed0878166b8efb0a331a21fa16df84ccda1fe4cc
                                  • Instruction ID: 0be71067b94349f3b163f10fc7865c9901b3f86c171c2f757c76e38bbf7f7ec5
                                  • Opcode Fuzzy Hash: af7986355f76353f56621d05ed0878166b8efb0a331a21fa16df84ccda1fe4cc
                                  • Instruction Fuzzy Hash: 3351BD70C05318DBDB20DF64D85979EB7B0EF18304F1082DED409A7291EBB86A88CB95
                                  Function 004863F0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00486464
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: f4ed9f5e37941df1e9ba9867385f1ec3f0cb7986d12087e88cefc21d8231c34a
                                  • Instruction ID: 991b9e5c4f1dd7985d860474454b41f109cd49006b683c09ab2e27c6457cb47f
                                  • Opcode Fuzzy Hash: f4ed9f5e37941df1e9ba9867385f1ec3f0cb7986d12087e88cefc21d8231c34a
                                  • Instruction Fuzzy Hash: AF217FB0D043189BD721DF15C844B9ABBF4FB08714F0046AEE84997380DBB9A6849BE5
                                  Function 00486C50 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: cores
                                  • API String ID: 0-2370456839
                                  • Opcode ID: 7caecc748150b05fedb2737b290fa2d10d67063e027dfbdfaad7aac65fe8cbf0
                                  • Instruction ID: e3a9e89045bf121aadbf864e887aeb25ba0c58f762de233e8adf5c73134b1a6d
                                  • Opcode Fuzzy Hash: 7caecc748150b05fedb2737b290fa2d10d67063e027dfbdfaad7aac65fe8cbf0
                                  • Instruction Fuzzy Hash: 2B916871D003599BDB00CFA8C9547EEFBB4FF59304F14825AE404BB292EBB56A84CB91
                                  Function 0043A2B0 Relevance: .3, Instructions: 294COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02a584f50cec7d117239a346da7015494028620e642b4639fe7f05473c013932
                                  • Instruction ID: a79bf28788cd7fece911b6e1e66e8534556c7722a2d9226744d1a7d19b7185e3
                                  • Opcode Fuzzy Hash: 02a584f50cec7d117239a346da7015494028620e642b4639fe7f05473c013932
                                  • Instruction Fuzzy Hash: 89F197B4D053588BDB25CFA8CA91BDDBBB0AF4A314F20419AD84DBB351DB306A85CF44
                                  Function 00439D60 Relevance: .3, Instructions: 294COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 186fcadbebabc4ac8475eff220d5f03fe57b16df31032e8b523138032ae08221
                                  • Instruction ID: 4fd346efeb900e22f944567b89219bf35164593af445f665e6b4c60aa2d00baf
                                  • Opcode Fuzzy Hash: 186fcadbebabc4ac8475eff220d5f03fe57b16df31032e8b523138032ae08221
                                  • Instruction Fuzzy Hash: 76F187B4D053588BDB25CFA8CA91BDDBBB0BF5A304F20419AD84DAB351DB306A85CF44
                                  Function 004395D0 Relevance: .3, Instructions: 292COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee95dc0e5b5396d58bf0237a5e01a6f13710f7daf9d7380e93e4a8007b91f328
                                  • Instruction ID: 7cc2350b8a4e2648267175039a6658fe4e1c6b2b5322fe7f087af9f211071a42
                                  • Opcode Fuzzy Hash: ee95dc0e5b5396d58bf0237a5e01a6f13710f7daf9d7380e93e4a8007b91f328
                                  • Instruction Fuzzy Hash: 0CF187B4D053588BDB25CFA8CA91BDDBBB0BF4A304F20419AD84DAB351DB306A85CF44
                                  Function 00480C80 Relevance: 19.8, APIs: 13, Instructions: 258windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 565 480c80-480cd2 call 4808f0 568 480d19 565->568 569 480cd4-480ce1 EnterCriticalSection 565->569 572 480d1e-480d3e call 4abbf5 568->572 570 480d41-480d58 LeaveCriticalSection GdipGetImageEncodersSize 569->570 571 480ce3-480d10 GdiplusStartup 569->571 570->568 575 480d5a-480d6e 570->575 571->570 573 480d12-480d13 LeaveCriticalSection 571->573 573->568 577 480d8a-480d91 575->577 578 480d70-480d77 call 480510 575->578 579 480f79-480f83 call 4805d0 577->579 580 480d97-480da5 call 497e9c 577->580 587 480d79-480d85 call 4ac9f0 578->587 588 480d87 578->588 589 480db5 580->589 590 480da7-480db2 580->590 592 480db8-480dbd 587->592 588->577 589->592 590->589 594 480dc9-480dd6 GdipGetImageEncoders 592->594 595 480dbf-480dc4 592->595 597 480f39-480f3e 594->597 598 480ddc-480de2 594->598 596 480f54-480f5d 595->596 599 480f5f 596->599 600 480f72-480f74 596->600 597->596 601 480e32 598->601 602 480de4-480ded 598->602 603 480f60-480f70 call 497357 599->603 600->572 604 480e39-480e4a 601->604 605 480df0-480dfa 602->605 603->600 607 480e50-480e54 604->607 608 480e00-480e04 605->608 610 480e6b-480e80 607->610 611 480e56-480e5f 607->611 612 480e1d-480e30 608->612 613 480e06-480e0f 608->613 615 480ee1-480f22 GdipCreateBitmapFromHBITMAP GdipSaveImageToStream 610->615 616 480e82-480ed8 GdipCreateBitmapFromScan0 GdipSaveImageToStream 610->616 611->607 614 480e61-480e66 611->614 612->601 612->605 613->608 617 480e11-480e1b 613->617 614->596 620 480f40-480f52 GdipDisposeImage 615->620 621 480f24 615->621 618 480eda-480edd 616->618 619 480edf 616->619 617->604 622 480f27-480f33 GdipDisposeImage 618->622 619->620 620->596 621->622 622->597
                                  APIs
                                    • Part of subcall function 004808F0: InitializeCriticalSectionEx.KERNEL32(0051C7AC,00000000,00000000), ref: 0048096F
                                    • Part of subcall function 004808F0: GetLastError.KERNEL32 ref: 00480979
                                  • EnterCriticalSection.KERNEL32(00000004,30B73C3E,?,?), ref: 00480CD8
                                  • GdiplusStartup.GDIPLUS(00000000,00000001,?), ref: 00480D08
                                  • LeaveCriticalSection.KERNEL32(00000004), ref: 00480D13
                                  • LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00480D42
                                  • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00480D50
                                  • __alloca_probe_16.LIBCMT ref: 00480D7E
                                  • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00480DCE
                                  • GdipCreateBitmapFromScan0.GDIPLUS(?,?,?,0026200A,?,?), ref: 00480EB3
                                  • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 00480ED0
                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 00480F33
                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 00480F4C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream__alloca_probe_16
                                  • String ID:
                                  • API String ID: 1308617310-0
                                  • Opcode ID: db8e19989c3c8e354b887b54b5669c89f7a5afa25811b29cf81357a5f4059125
                                  • Instruction ID: f4feccb951fe1b922ecb3dfaf5b8302156747445c0b76c240fb24b0f4f51c94e
                                  • Opcode Fuzzy Hash: db8e19989c3c8e354b887b54b5669c89f7a5afa25811b29cf81357a5f4059125
                                  • Instruction Fuzzy Hash: D1A165B1D10208DFDB50DFA4C984BAEBBF4FF49314F24452AE905A7340D778A949CBA9
                                  Function 00481B10 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 293networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1454 481b10-481c8d call 485e30 call 4517f0 call 44a980 call 44d3b0 call 4abc08 call 44bad0 call 4517f0 call 44a980 call 44d3b0 WSAStartup 1473 481de1 1454->1473 1474 481c93-481ca6 socket 1454->1474 1477 481de5-481e14 call 44d060 call 4abbf5 1473->1477 1475 481ddb WSACleanup 1474->1475 1476 481cac-481cde htons 1474->1476 1475->1473 1478 481e34-481ea7 call 480f90 call 44cfd0 * 2 call 480f90 1476->1478 1479 481ce4-481ceb 1476->1479 1507 481eac-481efd call 44cfd0 * 2 1478->1507 1483 481ced-481cf1 1479->1483 1484 481cf3-481cf5 1479->1484 1487 481cf7-481cfc 1483->1487 1484->1487 1488 481d18-481d1e 1487->1488 1489 481cfe 1487->1489 1493 481d20 1488->1493 1494 481d22-481d36 call 473550 1488->1494 1492 481d00-481d0e call 498020 1489->1492 1502 481d10-481d13 1492->1502 1503 481d15 1492->1503 1493->1494 1504 481d38-481d44 1494->1504 1505 481d46-481d53 1494->1505 1502->1492 1502->1503 1503->1488 1508 481d55 1504->1508 1505->1508 1509 481d57-481d5c 1505->1509 1507->1477 1508->1509 1511 481d5e 1509->1511 1512 481d81-481d96 call 473550 1509->1512 1513 481d61-481d75 call 498020 1511->1513 1521 481d98 1512->1521 1522 481d9a-481dbe inet_pton connect 1512->1522 1523 481d7e 1513->1523 1524 481d77-481d7c 1513->1524 1521->1522 1525 481dc0-481dc9 1522->1525 1526 481e15-481e1b 1522->1526 1523->1512 1524->1513 1524->1523 1525->1479 1528 481dcf-481dd5 closesocket 1525->1528 1526->1478 1527 481e1d-481e24 1526->1527 1529 481e28-481e2f call 44d7d0 1527->1529 1530 481e26 1527->1530 1528->1475 1529->1478 1530->1529
                                  APIs
                                    • Part of subcall function 00485E30: GetUserGeoID.KERNEL32(00000010), ref: 00485E6C
                                    • Part of subcall function 00485E30: GetGeoInfoA.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00485E7E
                                    • Part of subcall function 00485E30: GetGeoInfoA.KERNEL32(0000000F,00000004,?,00000000,00000000), ref: 00485ED6
                                  • WSAStartup.WS2_32(00000202,00516D04), ref: 00481C85
                                  • socket.WS2_32(00000002,00000001,00000000), ref: 00481C98
                                  • htons.WS2_32(00000002), ref: 00481CBF
                                  • inet_pton.WS2_32(00000002,00000000,00516E98), ref: 00481DA2
                                  • connect.WS2_32(00516E94,00000010), ref: 00481DB5
                                  • closesocket.WS2_32 ref: 00481DD5
                                  • WSACleanup.WS2_32 ref: 00481DDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
                                  • String ID: NG$geo$system
                                  • API String ID: 213021568-968879199
                                  • Opcode ID: 3e51a562f8bb916ff5cdbc648a8933530491576e42c442edfc0125d67360bed5
                                  • Instruction ID: a79096e42c26a1a604384fcb43a931ed9af1c00745f33276f8ffcea807cfd111
                                  • Opcode Fuzzy Hash: 3e51a562f8bb916ff5cdbc648a8933530491576e42c442edfc0125d67360bed5
                                  • Instruction Fuzzy Hash: 1DC1AE70D01248DBDB00EFA8C8457DEBBB5FF15308F14421BE854AB391EBB86A85CB95
                                  Function 004BC57A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1532 4bc57a-4bc5aa call 4bc2c8 1535 4bc5ac-4bc5b7 call 4950c1 1532->1535 1536 4bc5c5-4bc5d1 call 4a2f56 1532->1536 1543 4bc5b9-4bc5c0 call 4950d4 1535->1543 1541 4bc5ea-4bc633 call 4bc233 1536->1541 1542 4bc5d3-4bc5e8 call 4950c1 call 4950d4 1536->1542 1551 4bc6a0-4bc6a9 GetFileType 1541->1551 1552 4bc635-4bc63e 1541->1552 1542->1543 1553 4bc89f-4bc8a3 1543->1553 1554 4bc6ab-4bc6dc GetLastError call 49507a CloseHandle 1551->1554 1555 4bc6f2-4bc6f5 1551->1555 1557 4bc640-4bc644 1552->1557 1558 4bc675-4bc69b GetLastError call 49507a 1552->1558 1554->1543 1569 4bc6e2-4bc6ed call 4950d4 1554->1569 1561 4bc6fe-4bc704 1555->1561 1562 4bc6f7-4bc6fc 1555->1562 1557->1558 1563 4bc646-4bc673 call 4bc233 1557->1563 1558->1543 1566 4bc708-4bc756 call 4a2e9e 1561->1566 1567 4bc706 1561->1567 1562->1566 1563->1551 1563->1558 1574 4bc758-4bc764 call 4bc442 1566->1574 1575 4bc775-4bc79d call 4bbfdd 1566->1575 1567->1566 1569->1543 1574->1575 1581 4bc766 1574->1581 1582 4bc79f-4bc7a0 1575->1582 1583 4bc7a2-4bc7e3 1575->1583 1584 4bc768-4bc770 call 49c22b 1581->1584 1582->1584 1585 4bc7e5-4bc7e9 1583->1585 1586 4bc804-4bc812 1583->1586 1584->1553 1585->1586 1588 4bc7eb-4bc7ff 1585->1588 1589 4bc818-4bc81c 1586->1589 1590 4bc89d 1586->1590 1588->1586 1589->1590 1591 4bc81e-4bc851 CloseHandle call 4bc233 1589->1591 1590->1553 1595 4bc853-4bc87f GetLastError call 49507a call 4a3069 1591->1595 1596 4bc885-4bc899 1591->1596 1595->1596 1596->1590
                                  APIs
                                    • Part of subcall function 004BC233: CreateFileW.KERNEL32(?,00000000,?,004BC623,?,?,00000000,?,004BC623,?,0000000C), ref: 004BC250
                                  • GetLastError.KERNEL32 ref: 004BC68E
                                  • __dosmaperr.LIBCMT ref: 004BC695
                                  • GetFileType.KERNEL32(00000000), ref: 004BC6A1
                                  • GetLastError.KERNEL32 ref: 004BC6AB
                                  • __dosmaperr.LIBCMT ref: 004BC6B4
                                  • CloseHandle.KERNEL32(00000000), ref: 004BC6D4
                                  • CloseHandle.KERNEL32(004BB653), ref: 004BC821
                                  • GetLastError.KERNEL32 ref: 004BC853
                                  • __dosmaperr.LIBCMT ref: 004BC85A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: 1092716943437c36cfa02252dfbb3b8d28f6a4b1d2fea1c18a37bf8b19ebdc4d
                                  • Instruction ID: e4caf95108e2d56c13f9780512823c5111e6df0be3dd416bceb2684eca6e9c1f
                                  • Opcode Fuzzy Hash: 1092716943437c36cfa02252dfbb3b8d28f6a4b1d2fea1c18a37bf8b19ebdc4d
                                  • Instruction Fuzzy Hash: 65A13632A041549FCF19AF68DCD1BEE3BA1AB46314F14015FF8119F391CB798906CBA9
                                  Function 0047C6C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 128COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1705 47c6c0-47c719 call 4b8dd0 1708 47c752-47c75f 1705->1708 1709 47c71b-47c72e call 4b8dd0 1705->1709 1711 47c771 1708->1711 1712 47c761-47c769 1708->1712 1719 47c740-47c74c call 4b8e28 1709->1719 1720 47c730-47c73b 1709->1720 1716 47c773-47c777 1711->1716 1714 47c854-47c880 call 4b8e28 call 4abbf5 1712->1714 1715 47c76f 1712->1715 1715->1716 1717 47c789-47c78b 1716->1717 1718 47c779-47c781 call 4b9252 1716->1718 1717->1714 1723 47c791-47c796 1717->1723 1718->1723 1731 47c783-47c786 1718->1731 1719->1708 1720->1719 1727 47c79f-47c7ba call 4abc08 1723->1727 1728 47c798-47c79a 1723->1728 1735 47c7bc-47c7c1 1727->1735 1736 47c7c8 1727->1736 1728->1714 1731->1717 1737 47c7c3-47c7c6 1735->1737 1738 47c7cd-47c7d1 call 435da0 1735->1738 1736->1738 1737->1738 1740 47c7d6-47c850 call 435e60 call 4b9226 1738->1740 1740->1714
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0047C6FD
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0047C71F
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0047C747
                                  • std::_Facet_Register.LIBCPMT ref: 0047C834
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0047C85E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: `aC$p]C
                                  • API String ID: 459529453-1363152631
                                  • Opcode ID: cabbe5fe4785e35b59348adf3c277be28f3fa8ecccfc8a2d1daf856e2b5672de
                                  • Instruction ID: 399bbb442a0c6c40ac274560e971594f6ebfe9651e6100c107b7a0aaef0602e2
                                  • Opcode Fuzzy Hash: cabbe5fe4785e35b59348adf3c277be28f3fa8ecccfc8a2d1daf856e2b5672de
                                  • Instruction Fuzzy Hash: 2C517A71900249DFDB15CF99C580BEEBBB4EB15318F24805ED409AB381DB79AE09CF95
                                  Function 00481110 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 526fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1793 481110-481191 call 4385b0 1796 4817e2-4817e4 1793->1796 1797 481197-48119f 1793->1797 1798 48181b-48188f call 437c30 call 481110 1796->1798 1799 4817e6-4817f1 1796->1799 1797->1799 1800 4811a5-4811fd call 4ade50 call 44ee20 1797->1800 1815 48191f-481927 1798->1815 1816 481895-4818aa call 44e890 1798->1816 1801 4817fb-48181a call 4abbf5 1799->1801 1812 481551-481589 call 466040 call 465f20 1800->1812 1813 481203-481209 1800->1813 1836 48158b-48159a call 4516d0 1812->1836 1837 4815a2-481625 call 466040 call 48fa10 1812->1837 1818 48120b 1813->1818 1819 48120d-48122d call 489f30 call 48a0a0 1813->1819 1822 48192e-481939 1815->1822 1824 4818af-48191d call 44d060 1816->1824 1818->1819 1839 4812f9-481312 GetFileSize 1819->1839 1840 481233-4812f4 call 44d060 call 44a340 call 4b94ea 1819->1840 1826 48193b-48193e call 44d060 1822->1826 1827 481943-481961 call 4abbf5 1822->1827 1824->1822 1826->1827 1844 48159f 1836->1844 1861 48163b-48164b call 48fab0 1837->1861 1862 481627-481639 1837->1862 1845 481328-48133a 1839->1845 1846 481314-481326 1839->1846 1840->1801 1844->1837 1850 481368-481375 call 451f90 1845->1850 1851 48133c-481366 call 4ade50 1845->1851 1849 48137a-4813ac SetFilePointer ReadFile 1846->1849 1854 48149f-481542 call 44d060 call 44a340 1849->1854 1855 4813b2-481490 call 44d060 call 44a340 1849->1855 1850->1849 1851->1849 1854->1812 1855->1854 1863 481650-48165a 1861->1863 1862->1863 1868 48165c-481680 1863->1868 1869 481682-481693 call 44d7d0 1863->1869 1873 481698-48169f call 44d060 1868->1873 1869->1873 1881 4816a4-4816d5 call 436640 call 44c7a0 1873->1881 1887 481700-4817d3 call 44d060 call 44a340 1881->1887 1888 4816d7-4816fb call 436640 1881->1888 1887->1796 1888->1887
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004812EC
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000B8), ref: 004812FC
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00481388
                                  • ReadFile.KERNEL32(00000000,00000000,00516C10,00000000,00000000), ref: 004813A4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Ios_base_dtorPointerReadSizestd::ios_base::_
                                  • String ID: 0hC$exists
                                  • API String ID: 418202444-4085241440
                                  • Opcode ID: 484f58a7a18a46d98bb1edb3502d40a625e7069bcaa41c24cad3f5034e0e3b9d
                                  • Instruction ID: 03b619e30c80654d4b10cf1501dd509fce63877f60a48615618d7203a258c35b
                                  • Opcode Fuzzy Hash: 484f58a7a18a46d98bb1edb3502d40a625e7069bcaa41c24cad3f5034e0e3b9d
                                  • Instruction Fuzzy Hash: 3E425D70D01248DFDB10DFA9C9447DDBBF4BF19308F10819AE849A7291DB746A89CF95
                                  Function 00453280 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 340COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00453446
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00453463
                                    • Part of subcall function 004AFA0C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0043FE44,?,?,?,004B9080,0043FE44,00513AB0,?,0043FE44,?,?,0000000C,30B73C3E), ref: 004AFA6C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004536B0
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004536CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$ExceptionRaise
                                  • String ID: MC$value
                                  • API String ID: 299339551-3840657116
                                  • Opcode ID: 105946c5cbd8b82caa2ff389fd77db40c33b1abb7ad3302a948b5beaa238df8e
                                  • Instruction ID: 0b049260404a019bd3923239173dd3b15bf9369a861e2bc94eedd162a5d5976f
                                  • Opcode Fuzzy Hash: 105946c5cbd8b82caa2ff389fd77db40c33b1abb7ad3302a948b5beaa238df8e
                                  • Instruction Fuzzy Hash: 1EF16B70C05298DEEB20DB65C954BDEFBB4AF19304F1481DED84963282E7746B88CF96
                                  Function 0049EF0E Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2410 49ef0e-49ef1e 2411 49ef38-49ef3a 2410->2411 2412 49ef20-49ef33 call 4950c1 call 4950d4 2410->2412 2414 49f27a-49f287 call 4950c1 call 4950d4 2411->2414 2415 49ef40-49ef46 2411->2415 2428 49f292 2412->2428 2433 49f28d call 497d29 2414->2433 2415->2414 2418 49ef4c-49ef75 2415->2418 2418->2414 2421 49ef7b-49ef84 2418->2421 2424 49ef9e-49efa0 2421->2424 2425 49ef86-49ef99 call 4950c1 call 4950d4 2421->2425 2426 49f276-49f278 2424->2426 2427 49efa6-49efaa 2424->2427 2425->2433 2432 49f295-49f298 2426->2432 2427->2426 2431 49efb0-49efb4 2427->2431 2428->2432 2431->2425 2435 49efb6-49efcd 2431->2435 2433->2428 2438 49efcf-49efd2 2435->2438 2439 49f002-49f008 2435->2439 2441 49eff8-49f000 2438->2441 2442 49efd4-49efda 2438->2442 2443 49f00a-49f011 2439->2443 2444 49efdc-49eff3 call 4950c1 call 4950d4 call 497d29 2439->2444 2446 49f075-49f094 2441->2446 2442->2441 2442->2444 2447 49f013 2443->2447 2448 49f015-49f033 call 49d15a call 49c0bd * 2 2443->2448 2475 49f1ad 2444->2475 2449 49f09a-49f0a6 2446->2449 2450 49f150-49f159 call 4a652f 2446->2450 2447->2448 2479 49f050-49f073 call 49f49f 2448->2479 2480 49f035-49f04b call 4950d4 call 4950c1 2448->2480 2449->2450 2453 49f0ac-49f0ae 2449->2453 2464 49f15b-49f16d 2450->2464 2465 49f1ca 2450->2465 2453->2450 2457 49f0b4-49f0d5 2453->2457 2457->2450 2461 49f0d7-49f0ed 2457->2461 2461->2450 2466 49f0ef-49f0f1 2461->2466 2464->2465 2470 49f16f-49f17e GetConsoleMode 2464->2470 2468 49f1ce-49f1e4 ReadFile 2465->2468 2466->2450 2471 49f0f3-49f116 2466->2471 2473 49f242-49f24d GetLastError 2468->2473 2474 49f1e6-49f1ec 2468->2474 2470->2465 2476 49f180-49f184 2470->2476 2471->2450 2478 49f118-49f12e 2471->2478 2481 49f24f-49f261 call 4950d4 call 4950c1 2473->2481 2482 49f266-49f269 2473->2482 2474->2473 2483 49f1ee 2474->2483 2477 49f1b0-49f1ba call 49c0bd 2475->2477 2476->2468 2484 49f186-49f19e ReadConsoleW 2476->2484 2477->2432 2478->2450 2490 49f130-49f132 2478->2490 2479->2446 2480->2475 2481->2475 2487 49f26f-49f271 2482->2487 2488 49f1a6-49f1ac call 49507a 2482->2488 2494 49f1f1-49f203 2483->2494 2485 49f1bf-49f1c8 2484->2485 2486 49f1a0 GetLastError 2484->2486 2485->2494 2486->2488 2487->2477 2488->2475 2490->2450 2497 49f134-49f14b 2490->2497 2494->2477 2501 49f205-49f209 2494->2501 2497->2450 2505 49f20b-49f21b call 49ec20 2501->2505 2506 49f222-49f22f 2501->2506 2515 49f21e-49f220 2505->2515 2508 49f23b-49f240 call 49ea66 2506->2508 2509 49f231 call 49ed77 2506->2509 2516 49f236-49f239 2508->2516 2509->2516 2515->2477 2516->2515
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 24a8d8a0d010bfcdd7b7552ae8f1acfd8285e4568f7e2a95cc7afd66be91c88e
                                  • Instruction ID: af9c87e70908a1ee06dfbc346dd9d7a470d4d3b04964572cafa80a59c2292356
                                  • Opcode Fuzzy Hash: 24a8d8a0d010bfcdd7b7552ae8f1acfd8285e4568f7e2a95cc7afd66be91c88e
                                  • Instruction Fuzzy Hash: ACB13274A04249EFEF11CF99C841BAE7FB1AF46304F14417AE5009B392C7B99D4ACB99
                                  Function 0049865A Relevance: 9.3, APIs: 6, Instructions: 265COMMON
                                  Download Yara Rule
                                  APIs
                                  • __allrem.LIBCMT ref: 004987E2
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004987FE
                                  • __allrem.LIBCMT ref: 00498815
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498833
                                  • __allrem.LIBCMT ref: 0049884A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498868
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 0bad0c18fe0cf381acad9996688c966a33eada49a23c210a765f4fa7ac2e53a6
                                  • Instruction ID: bac2f8d64b4771d1480d5067db4f3a3676e567bfb19d99c183f063f20f68270c
                                  • Opcode Fuzzy Hash: 0bad0c18fe0cf381acad9996688c966a33eada49a23c210a765f4fa7ac2e53a6
                                  • Instruction Fuzzy Hash: A68107B26007069BDB20EA6DCC41B5B7BE9AF52364F24453FF111DB791EB78D9008B98
                                  Function 004823F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 280COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: 0$0hC$exists
                                  • API String ID: 323602529-1229763112
                                  • Opcode ID: f10948b3ed40f3b076f8b225239c75273635f3694046d4e0320974136430c3f1
                                  • Instruction ID: 8ad686ceee80f5ac92384c61aa111afe13dce58c6585d204e44adfbc4e8d440e
                                  • Opcode Fuzzy Hash: f10948b3ed40f3b076f8b225239c75273635f3694046d4e0320974136430c3f1
                                  • Instruction Fuzzy Hash: 81D18070D0528CDAEB10DBA8CA45BDCBBF4AF19308F2440DDE4456B282DBB95F48DB56
                                  Function 004865D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 230registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0047FD70: ___std_fs_get_current_path@8.LIBCPMT ref: 0047FE92
                                  • GetVolumeInformationW.KERNEL32(?,?,00000100,?,?,?,?,00000100,00000000,?,30B73C3E,?,?), ref: 00486757
                                  • RegGetValueA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName,00000002,00000000,?,?), ref: 00486916
                                  Strings
                                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00486905
                                  • ProductName, xrefs: 00486900
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationValueVolume___std_fs_get_current_path@8
                                  • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 2814272438-1787575317
                                  • Opcode ID: b1404d09f7114e8511fbbac145fb6ec7f4eb5f2e1f33eee02c53c21e1c4c82cd
                                  • Instruction ID: 5513a57b40c567382305f19abecc614c7fb65df7785b10e0462d816fc7d7abf5
                                  • Opcode Fuzzy Hash: b1404d09f7114e8511fbbac145fb6ec7f4eb5f2e1f33eee02c53c21e1c4c82cd
                                  • Instruction Fuzzy Hash: DFA18BB1C012199BDB21DF55CD59BE9B7B4FF14304F1042EAE419A7281EB786B88CF94
                                  Function 004A0DE2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004A1227,00000000,00000000,00000000), ref: 004A10E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationTimeZone
                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                  • API String ID: 565725191-239921721
                                  • Opcode ID: 8af85f453ba9ab2101ba6703603c3064577747df0583f4df4771313aa803705a
                                  • Instruction ID: d63cae11faca7fbaaedfd5ec0c01f193a5a5e64d1a9f5e85edff99bc4745f09f
                                  • Opcode Fuzzy Hash: 8af85f453ba9ab2101ba6703603c3064577747df0583f4df4771313aa803705a
                                  • Instruction Fuzzy Hash: D5C15872D00211ABDB20AB65CC02ABF7BB9EF76754F10405BF901EB291E7788E41D798
                                  Function 00481F10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 282COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0045D680: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0045D726
                                    • Part of subcall function 0045D680: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0045D750
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00482387
                                    • Part of subcall function 0043E440: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0043E4CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Ios_base_dtor___std_fs_convert_narrow_to_wide@20std::ios_base::_
                                  • String ID: 0hC$exists
                                  • API String ID: 1525435645-4085241440
                                  • Opcode ID: 8ca7fd5849306998ec001e4bdecb4b4743a0745ed80b2030e0a7e1d66a3192b0
                                  • Instruction ID: 349907f898d0770bf1c6c6bee16b757a414fbaa0545e2b95a55e182eb82389be
                                  • Opcode Fuzzy Hash: 8ca7fd5849306998ec001e4bdecb4b4743a0745ed80b2030e0a7e1d66a3192b0
                                  • Instruction Fuzzy Hash: 1ED19F70D0528CDAEB10DBA8CA45BDCBBF0AF19308F2480DDD4456B282D7B95F58DB56
                                  Function 00438180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004381BC
                                    • Part of subcall function 004B849F: FindNextFileW.KERNELBASE(?,00000001,?,00437D97,?,00000001,?,004BDC4D,00000001,?,?,?,30B73C3E,00000001), ref: 004B84A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                  • String ID: .$directory_iterator::operator++
                                  • API String ID: 3878998205-1036657373
                                  • Opcode ID: 42ea8ddbda2b7e0b12b5802c67e6a5f09428df7f782a6b2438fae6bd72fb2b67
                                  • Instruction ID: 735a56af49808cf236c7d8626bd4983a1e4e1118483563b87a501f55d85a1d57
                                  • Opcode Fuzzy Hash: 42ea8ddbda2b7e0b12b5802c67e6a5f09428df7f782a6b2438fae6bd72fb2b67
                                  • Instruction Fuzzy Hash: C7318D70A047188BCF30DF59C8887ABF7B4EB49310F14429EE45997391DB395E85CA84
                                  Function 00435DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00435DCB
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00435E2E
                                    • Part of subcall function 004B9356: _Yarn.LIBCPMT ref: 004B9375
                                    • Part of subcall function 004B9356: _Yarn.LIBCPMT ref: 004B9399
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 1908188788-1405518554
                                  • Opcode ID: 4f591d35f3d0401d16c29d601d846a696ee7aa1707a5175f538b14ce155db12b
                                  • Instruction ID: 3ec4c6a4a97d0462a05707b65000259191fcf5f6abdba4908dc577763c239046
                                  • Opcode Fuzzy Hash: 4f591d35f3d0401d16c29d601d846a696ee7aa1707a5175f538b14ce155db12b
                                  • Instruction Fuzzy Hash: 3B210570805784DFD320CF69C90478BBFF4AF15714F14868ED48597781D3B9AA04CBA5
                                  Function 004868B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegGetValueA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName,00000002,00000000,?,?), ref: 00486916
                                  Strings
                                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00486905
                                  • ProductName, xrefs: 00486900
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value
                                  • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 3702945584-1787575317
                                  • Opcode ID: b1b14b774ef6c570b057e3b558ffe0deac3071ed0933685e6c950abb9736e9bf
                                  • Instruction ID: c2d08890748770af0873008191db5a05c2fa34d27609d4939fc155a72502f57e
                                  • Opcode Fuzzy Hash: b1b14b774ef6c570b057e3b558ffe0deac3071ed0933685e6c950abb9736e9bf
                                  • Instruction Fuzzy Hash: 95218EB09003599BDB20DF54C805BEABBF8FF04704F10465EE845A7681DBB86A44CB95
                                  Function 00487290 Relevance: 4.7, APIs: 3, Instructions: 178registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,0047F265,00000000,00020019,00000000,30B73C3E,?,0051C288), ref: 0048735B
                                  • RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00487397
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0048751D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumOpen
                                  • String ID:
                                  • API String ID: 1332880857-0
                                  • Opcode ID: f2df89f7ded2f01219635e19fa6094d0543fceec2d71050d0bf781645f1a3f7c
                                  • Instruction ID: e90b3dd054a924dd9803ab5f17a38fc1c4cefb0d6438d00707aa441ccba3a8d8
                                  • Opcode Fuzzy Hash: f2df89f7ded2f01219635e19fa6094d0543fceec2d71050d0bf781645f1a3f7c
                                  • Instruction Fuzzy Hash: E3717FF0D012189FDB20DF24CD94B9DB7B4EB54304F1082DAEA19A7281D774AE88CF99
                                  Function 004870B0 Relevance: 4.6, APIs: 3, Instructions: 115registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,30B73C3E,0051C570,0051C2A0), ref: 00487182
                                  • RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 004871B6
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00487260
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 57d060fa11377f52f079fc837384727404e649e1529402bdcb096a3e64267e6d
                                  • Instruction ID: b9c4edd99e38da91ddb4c738108b0054469e00b62f6e0a688ac56e9026d709b2
                                  • Opcode Fuzzy Hash: 57d060fa11377f52f079fc837384727404e649e1529402bdcb096a3e64267e6d
                                  • Instruction Fuzzy Hash: 905130B0D042189BDB20DF15CD54B9AB7F8FF45708F5042DEE609A7281DB74AA88CF99
                                  Function 004855F0 Relevance: 4.6, APIs: 3, Instructions: 99networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(?,00000001,00000000), ref: 004857E2
                                  • closesocket.WS2_32(00000200), ref: 004857EE
                                  • WSACleanup.WS2_32 ref: 004857F4
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Cleanupclosesocketrecv
                                  • String ID:
                                  • API String ID: 3447645871-0
                                  • Opcode ID: a55422f294b4942afa1ff90dfbe741e21dd202ebe771de9cafeea328bec9a277
                                  • Instruction ID: c065b03366e761df0b34e2ad76ec595a4b6e3bb6db0e63c2aea2bbb819f94b56
                                  • Opcode Fuzzy Hash: a55422f294b4942afa1ff90dfbe741e21dd202ebe771de9cafeea328bec9a277
                                  • Instruction Fuzzy Hash: 6C415830D11398CEEB14EB65CC59BDEBB71AF10308F1081DAE449672A2DB741E88DFA5
                                  Function 00485E30 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserGeoID.KERNEL32(00000010), ref: 00485E6C
                                  • GetGeoInfoA.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00485E7E
                                  • GetGeoInfoA.KERNEL32(0000000F,00000004,?,00000000,00000000), ref: 00485ED6
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Info$User
                                  • String ID:
                                  • API String ID: 2017065092-0
                                  • Opcode ID: 76db3dc4c87bbc6f384a5473c1c7e0f0467f6834ab8a05054a61e1c1351183cd
                                  • Instruction ID: dee3d2b381a88aa75edb4726eebd2668ef991be1adfc48943d59dd3409b8a73b
                                  • Opcode Fuzzy Hash: 76db3dc4c87bbc6f384a5473c1c7e0f0467f6834ab8a05054a61e1c1351183cd
                                  • Instruction Fuzzy Hash: 60219D70A40305ABE730DF65DD09B5BBBF8EB44B14F104A1EF545AB6C0D7B9AA048BE4
                                  Function 004A2897 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,004A2891,00000016,0049036B,?,?,30B73C3E,0049036B,?), ref: 004A28A8
                                  • TerminateProcess.KERNEL32(00000000,?,004A2891,00000016,0049036B,?,?,30B73C3E,0049036B,?), ref: 004A28AF
                                  • ExitProcess.KERNEL32 ref: 004A28C1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: c52b8aea0878e361db6f998eabd52a91712daacfbdb63a7d2bb12d779e64a9bf
                                  • Instruction ID: 5f52cdf8944b70cf92df4f225d6e01553ce615c3954620652ef0a1f31c52b3c3
                                  • Opcode Fuzzy Hash: c52b8aea0878e361db6f998eabd52a91712daacfbdb63a7d2bb12d779e64a9bf
                                  • Instruction Fuzzy Hash: ACD09E71001108BBDF423F65ED0DB8E3F2AEF55745F044026B9095A131DB799995EB98
                                  Function 004487D0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 282COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0048A490: GetEnvironmentStringsW.KERNEL32(30B73C3E), ref: 0048A4E4
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00448C83
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnvironmentIos_base_dtorStringsstd::ios_base::_
                                  • String ID: 0hC
                                  • API String ID: 21748421-2581318919
                                  • Opcode ID: 61df59d28ddfdf1926466add9277cbc79e4fef289339a47e2564f57312edc11d
                                  • Instruction ID: f3a074da2f4c09c6f09d17eaf24c6677e7622b6743d10a431c53a42b2b0ae44f
                                  • Opcode Fuzzy Hash: 61df59d28ddfdf1926466add9277cbc79e4fef289339a47e2564f57312edc11d
                                  • Instruction Fuzzy Hash: 9DE137B0D00269CBDB25DF18C841BDDBBB4BF59304F1086EAD44977242EB756A85CF91
                                  Function 0047EE90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0047F1C0: RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,30B73C3E), ref: 0047F211
                                    • Part of subcall function 0047F1C0: RegCloseKey.ADVAPI32(00000000), ref: 0047F221
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0047F194
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseIos_base_dtorOpenstd::ios_base::_
                                  • String ID: 0hC
                                  • API String ID: 1131316584-2581318919
                                  • Opcode ID: 7cba46937cda891c258594ace6fbaf3fef31f328805038bc20a4f0a0119cf12a
                                  • Instruction ID: cfb713b882ce29762410958d43b6c09695d359a02ab63b143eff75d03a191730
                                  • Opcode Fuzzy Hash: 7cba46937cda891c258594ace6fbaf3fef31f328805038bc20a4f0a0119cf12a
                                  • Instruction Fuzzy Hash: 59911674C00298CBDB20DF68C845BDDBBB0AB19314F1086EAD45977282DB746E88CF95
                                  Function 00486F20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 00486F86
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: Unknown
                                  • API String ID: 2104809126-1654365787
                                  • Opcode ID: d6032fd6981b0caf5e4c49708838f9cebd9397818ef9a0e4cf965eded2abff42
                                  • Instruction ID: 4cfd0b05124d6ad0cc2ed0fe670d1554fe3cca3eb32f1e14fa8b394e0e179909
                                  • Opcode Fuzzy Hash: d6032fd6981b0caf5e4c49708838f9cebd9397818ef9a0e4cf965eded2abff42
                                  • Instruction Fuzzy Hash: 74418B71D00258CBDB20DF69C8407DEFBF4EF49704F1082AAD899A7281D774AA88CF91
                                  Function 004ABC08 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00434FF1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: MC
                                  • API String ID: 2659868963-1829682832
                                  • Opcode ID: a7a485d9c83800eb579eb1fbe217d44add95b41717c89af58e444174cff24a24
                                  • Instruction ID: 040724f085c67d798f1d490f9b73413860191a50a7d7deb79defe6124e27c29a
                                  • Opcode Fuzzy Hash: a7a485d9c83800eb579eb1fbe217d44add95b41717c89af58e444174cff24a24
                                  • Instruction Fuzzy Hash: 3611EB71800308ABCB10DF58DC01B9AB7ACEB15724F10466FF81597780EB79A940CBD8
                                  Function 00447920 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0044799C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: 0hC
                                  • API String ID: 323602529-2581318919
                                  • Opcode ID: 5129ab555f51bed53336c49a6076550c51d3d5e874f0d443237048deba2c8ea9
                                  • Instruction ID: 8ca8b340eaa0dfe9bad33bee777e0704730a4b63aab2394a13b70ad755bbc225
                                  • Opcode Fuzzy Hash: 5129ab555f51bed53336c49a6076550c51d3d5e874f0d443237048deba2c8ea9
                                  • Instruction Fuzzy Hash: CD11ADB0840609DFDB10DF59C840A9DFBF8FB05328F208A6EE85197390EB74AA05CB80
                                  Function 00460310 Relevance: 3.3, APIs: 2, Instructions: 312COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004604B4
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 8b13a2037e7e0b03ddde8346a73a64acbab074baffae8b20c15079bbed3282a0
                                  • Instruction ID: 66707b960993136107624c9d81ef05c918eca4bbb2b21c6d520a63eb0cd0cd41
                                  • Opcode Fuzzy Hash: 8b13a2037e7e0b03ddde8346a73a64acbab074baffae8b20c15079bbed3282a0
                                  • Instruction Fuzzy Hash: 04A191B1E002159FDB14DF68C981AAFBBB4EB49314F24422FE815E7385E738AD05CB95
                                  Function 00437CB0 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00437D64
                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00437D92
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                  • String ID:
                                  • API String ID: 3016148460-0
                                  • Opcode ID: 73963d7e42f46bada0bb91468d8e6c86860c6526e71e689b58131c2916953d37
                                  • Instruction ID: c774fac7b26238caf8a18ea1cc9dfb162d547f418ec2e445b27f5ef4f4107e88
                                  • Opcode Fuzzy Hash: 73963d7e42f46bada0bb91468d8e6c86860c6526e71e689b58131c2916953d37
                                  • Instruction Fuzzy Hash: E841A0B1D04218DBCB34DF64C480AEEB7B4EF19324F00516BE851AB381EB789D44CB94
                                  Function 00480F90 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetKnownFolderPath.SHELL32(004E05C0,00000000,00000000,?,30B73C3E,?,?), ref: 0048101E
                                  • CoTaskMemFree.OLE32(?), ref: 004810DC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FolderFreeKnownPathTask
                                  • String ID:
                                  • API String ID: 969438705-0
                                  • Opcode ID: 72aa8b02f906d3fbe3ba85b36074818c76339de4eced8fbcc3b8c7e13541c268
                                  • Instruction ID: 3e538bd659216d3e4857fbb8bc962106784e19cd0647cea7878622876b38b54a
                                  • Opcode Fuzzy Hash: 72aa8b02f906d3fbe3ba85b36074818c76339de4eced8fbcc3b8c7e13541c268
                                  • Instruction Fuzzy Hash: 4241ACB0D01748DBDB10CFA5C9457AEFBF4EF58314F20421EE811A7280EBB86A44CB94
                                  Function 0047F1C0 Relevance: 3.1, APIs: 2, Instructions: 82registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,30B73C3E), ref: 0047F211
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0047F221
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpen
                                  • String ID:
                                  • API String ID: 47109696-0
                                  • Opcode ID: 53310d44514645ec7d69775a39ecbdcf721de23dfed265a4b960d742e8fdaebb
                                  • Instruction ID: 54b3090d3cf4edc9b1beeea5084ab922e7ff7cf66e968ba670c482e571a875e7
                                  • Opcode Fuzzy Hash: 53310d44514645ec7d69775a39ecbdcf721de23dfed265a4b960d742e8fdaebb
                                  • Instruction Fuzzy Hash: 1021F675E002199BDB10EF95DC81BEFB7B4EB48714F14827EE819B7382EB399D048694
                                  Function 0049AD6F Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0049ADBB
                                  • GetFileType.KERNEL32(00000000), ref: 0049ADCD
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileHandleType
                                  • String ID:
                                  • API String ID: 3000768030-0
                                  • Opcode ID: 4f32fbaeb40bbd2ddea1473ad080d3a809991d13d49bec4850263f289b53d757
                                  • Instruction ID: 9b806bec79c801feb13e2bd810877b0a9fec2b0519df56a68c4b4061daa9a1e0
                                  • Opcode Fuzzy Hash: 4f32fbaeb40bbd2ddea1473ad080d3a809991d13d49bec4850263f289b53d757
                                  • Instruction Fuzzy Hash: B611B7311047514ACF304A3E8C886677E96AB56331B39073FD4B687AF1C338D9A691CB
                                  Function 0049F3BE Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0049F4F8,00000000,00000000,00000000,00000002,00000000), ref: 0049F3FA
                                  • GetLastError.KERNEL32(00000000,?,0049F4F8,00000000,00000000,00000000,00000002,00000000,?,0049BE05,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0049F407
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: 80260035985e1c693c2aa0c1ce2b926f9b01d7339fcba6fc68b9113c9f56a2d4
                                  • Instruction ID: e391caa542caa0dd86735aa216be2178a54a5bfb1c46ce41420e93566301b438
                                  • Opcode Fuzzy Hash: 80260035985e1c693c2aa0c1ce2b926f9b01d7339fcba6fc68b9113c9f56a2d4
                                  • Instruction Fuzzy Hash: 57012232614215AFCF058F69DC49D9E3F2AEF95324F24422AF811DB290E775EE41CB94
                                  Function 0047E47D Relevance: 3.1, APIs: 2, Instructions: 51synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004473D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,30B73C3E), ref: 0044741C
                                    • Part of subcall function 004473D0: Process32FirstW.KERNEL32(00000000,?), ref: 00447468
                                    • Part of subcall function 00445950: CredEnumerateA.ADVAPI32(00000000,00000000,?,?,30B73C3E,00000000,?), ref: 004459B2
                                    • Part of subcall function 00485350: recv.WS2_32(?,00002000,00000000), ref: 004854A4
                                  • ReleaseMutex.KERNEL32(00000000), ref: 0047E525
                                  • CloseHandle.KERNEL32(00000000), ref: 0047E52C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
                                  • String ID:
                                  • API String ID: 420082584-0
                                  • Opcode ID: 43ab8f6d0282bbd386fa8db408f8dbade1bdb5759a0961783a362487319a2d08
                                  • Instruction ID: 21d12501465ffecb104f3396b5f4d487cf58cbb0265569f00e2db2d4d6eee1e0
                                  • Opcode Fuzzy Hash: 43ab8f6d0282bbd386fa8db408f8dbade1bdb5759a0961783a362487319a2d08
                                  • Instruction Fuzzy Hash: D9114C71806548EAEB00FBF7950639DB7A0AF0431CF10C59FE90623182DF7D1A0596AF
                                  Function 0047E4C8 Relevance: 3.0, APIs: 2, Instructions: 40synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00485350: recv.WS2_32(?,00002000,00000000), ref: 004854A4
                                  • ReleaseMutex.KERNEL32(00000000), ref: 0047E525
                                  • CloseHandle.KERNEL32(00000000), ref: 0047E52C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleMutexReleaserecv
                                  • String ID:
                                  • API String ID: 2659716615-0
                                  • Opcode ID: 0316209b74f7a510048f6aca9fcb45fc03c3e98c7b54836586b8f6f774e638a0
                                  • Instruction ID: d8074609c4b6b56a118d8c4864159468ec2ce210cc92c7876c64f9fcb1cee0d4
                                  • Opcode Fuzzy Hash: 0316209b74f7a510048f6aca9fcb45fc03c3e98c7b54836586b8f6f774e638a0
                                  • Instruction Fuzzy Hash: CD017171806518DAE710FBE2D50679DB7A0AF0931CF50869FE90623282DF791A0187AE
                                  Function 0049C0BD Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0D3
                                  • GetLastError.KERNEL32(?,?,004A4A11,?,00000000,?,?,004A4CB2,?,00000007,?,?,004A3378,?,?), ref: 0049C0DE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 485612231-0
                                  • Opcode ID: 2c7be629525b77807a060ce78cd6937da288636f168411113672e5418cb75576
                                  • Instruction ID: 589170845ab709ad3b3b60fb6adb52998bb4654d1de7eee66c817f55301082a8
                                  • Opcode Fuzzy Hash: 2c7be629525b77807a060ce78cd6937da288636f168411113672e5418cb75576
                                  • Instruction Fuzzy Hash: 9BE08631500614A7CF222BA1EC0D7893F58DB40355F104036F60897160DF398940CB88
                                  Function 0048FAB0 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0048FCEA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 54dc556bc546888474d3f19e34a31102f3849cfd2e1ddc240e0765d6926b334a
                                  • Instruction ID: 258a51d4530bdfdbcfb978a880514f411ab203130510da66870d02f2c2448e76
                                  • Opcode Fuzzy Hash: 54dc556bc546888474d3f19e34a31102f3849cfd2e1ddc240e0765d6926b334a
                                  • Instruction Fuzzy Hash: DB71F671A002088FCB24EF28C490B6E77A5BF15314F244A7FE865CB791D739EA49CB95
                                  Function 0044AF90 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9135f7d9b5d1880a46c4ac02def5f1366672d51aadf79d8842421bd6ac20231f
                                  • Instruction ID: 5047db877c7d9ae38b531aa0dda64427d2377832e7d6361d0852b000475400c5
                                  • Opcode Fuzzy Hash: 9135f7d9b5d1880a46c4ac02def5f1366672d51aadf79d8842421bd6ac20231f
                                  • Instruction Fuzzy Hash: F45180B5A0060ADFDB18CF28D480999FBB4FF4A320B5082AAE819C7B51D735ED55CBD4
                                  Function 0049E314 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4d1b25cda05e585bd14aeef0c776674eabbc591f49ad1024f01acac1088cae4
                                  • Instruction ID: 7d9f16a24b0820fe6bfe4efb506255557b861a5981f24711c09fdeca13a2084c
                                  • Opcode Fuzzy Hash: f4d1b25cda05e585bd14aeef0c776674eabbc591f49ad1024f01acac1088cae4
                                  • Instruction Fuzzy Hash: 8751C470A00104EFDF14CF5ACC85AAE7FA5AF99324F28816AE8095B352D379DE41CB95
                                  Function 00458550 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004586AF
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 9d0e38e8a100f06b44e5b2c958822f107f66b3500270d3682d1b991c4f050d55
                                  • Instruction ID: 39eac46aceff4f274d7df031c3ad8bb7d561d247c585fc64f7f09dd83a036c2e
                                  • Opcode Fuzzy Hash: 9d0e38e8a100f06b44e5b2c958822f107f66b3500270d3682d1b991c4f050d55
                                  • Instruction Fuzzy Hash: E941A4B1E001159FDB04DFA8C841AAEBBB5EF48315F10422EE815F7386DB34AE09CB95
                                  Function 004520F0 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0045223D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 8aafa409fbbe6252fd8d16ac1cef4b76429e1a26ed72850fe408f5c857c7a805
                                  • Instruction ID: 543f2dd5f5f38f41d79c3b3e326d175c20dbca08f8aec97f7e4552ad9d8ce088
                                  • Opcode Fuzzy Hash: 8aafa409fbbe6252fd8d16ac1cef4b76429e1a26ed72850fe408f5c857c7a805
                                  • Instruction Fuzzy Hash: E1411272E001149BCB05EF68CD806AFB7A5EF56311F1402AFFC15EB302D6789E158B99
                                  Function 00451F90 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004520DE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: a14de396b08b32659630435c90f611bc18073001c29953638865ceda2285425b
                                  • Instruction ID: 53fc907bca80d66a09b4c03435f3e8acb878ccb904669eb33cf36a05cbe64725
                                  • Opcode Fuzzy Hash: a14de396b08b32659630435c90f611bc18073001c29953638865ceda2285425b
                                  • Instruction Fuzzy Hash: E7414272D001049BCB15AF68CD806AEBBA5AF4A305F1002ABED15EB342D7749E158BD9
                                  Function 0048F890 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0048F9FA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: d2fccf6f5b3df297b65b13170b90e5c1872a490292f016b70dee3939b6e05f49
                                  • Instruction ID: 91311e753e2fbbf9cdae31aef67f458025fa5287f257254b7d49e4ed808e7769
                                  • Opcode Fuzzy Hash: d2fccf6f5b3df297b65b13170b90e5c1872a490292f016b70dee3939b6e05f49
                                  • Instruction Fuzzy Hash: 4F41B3B2E005049FDB14EF68C985A6EBBA9EB49320F24473EE815D7385DB349D04CB95
                                  Function 004516D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004517DF
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 4beab17cec18f8408a3d260484db6fe46066ad92ba7b493454d35fe0c2aa28c2
                                  • Instruction ID: 65e916faade23ef3c336758c75d3ad3b55c144e32e026a5ec30b5c92d10e86c8
                                  • Opcode Fuzzy Hash: 4beab17cec18f8408a3d260484db6fe46066ad92ba7b493454d35fe0c2aa28c2
                                  • Instruction Fuzzy Hash: BB316772E001105BCB18EE6D9880A6FB7E9EB88312B24427FEC15D7352DA38DD0987D9
                                  Function 0044D7D0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0044D8F9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 4a7e0aa971e9c18d460f3d63606fed0fdd4bc56cc13da704aad23d70c2080c39
                                  • Instruction ID: 6687ec20b77dec97c90771c2cbe71989815263d1b8fcacfb2e06f2ee49a1853a
                                  • Opcode Fuzzy Hash: 4a7e0aa971e9c18d460f3d63606fed0fdd4bc56cc13da704aad23d70c2080c39
                                  • Instruction Fuzzy Hash: C3310A71E002045BE714AE6DD880A7EB7A4EF55324F24477FF865C7382D67899408759
                                  Function 0044BAD0 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0044BBB3
                                    • Part of subcall function 00434F80: ___std_exception_copy.LIBVCRUNTIME ref: 00434FF1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task___std_exception_copy
                                  • String ID:
                                  • API String ID: 1979911387-0
                                  • Opcode ID: 14553861a0e6d344c6703ce135879dfe8084568f0dbccc5b703b736294f01183
                                  • Instruction ID: f8cf7cd3dcf405c094d14d4edd2427269fc308b55f739c6c677f8adad7f52d2f
                                  • Opcode Fuzzy Hash: 14553861a0e6d344c6703ce135879dfe8084568f0dbccc5b703b736294f01183
                                  • Instruction Fuzzy Hash: 902126B1E006059BE7149F25D48166AB7A4EF15324F20036FE8258BB91E739FE90C7D6
                                  Function 004BB697 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __wsopen_s
                                  • String ID:
                                  • API String ID: 3347428461-0
                                  • Opcode ID: c0068bc3e55a3d1622d6bbbbb6d136ac2493d2630b2467d4896e3e7752e83962
                                  • Instruction ID: 7232828ef0ab4ea1277fc9c55e8108ad49929c9e06a984f5114aae078e858d40
                                  • Opcode Fuzzy Hash: c0068bc3e55a3d1622d6bbbbb6d136ac2493d2630b2467d4896e3e7752e83962
                                  • Instruction Fuzzy Hash: B9113671A0010AAFCB05DF58E9819CF7BF4EF88304F00405AF808AB311D770D9118BA4
                                  Function 00482930 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,?,00000000), ref: 00482968
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: 2e230c4dbecb0c91bd7935fcc59657d459b7808623847299c78205d0fd7c7ba6
                                  • Instruction ID: 15365ef676efcd120e403479619ae1d38f6ec3fc5171ce29fb9a7f72e5811cf6
                                  • Opcode Fuzzy Hash: 2e230c4dbecb0c91bd7935fcc59657d459b7808623847299c78205d0fd7c7ba6
                                  • Instruction Fuzzy Hash: 93F0B472302115AB83109A5DAD4096BF7DEDBCA7B0B2003A7FC2CC33E0E9618C0153D4
                                  Function 0049C6A4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,0043FE48,00000001,?,00499445,00000001,00000364,00000001,00000006,000000FF,?,004AD408,0043FE4A,0043FE44,?), ref: 0049C6E5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 934b5854b3b2fba1ba84eb25d33e8f66ddb7b9c5617b0a1ffb822db2bfc3c07a
                                  • Instruction ID: bf89d2d5fe5833ab0f4bff440cdb33f04d1e0b68cec02520bce29c64fa949510
                                  • Opcode Fuzzy Hash: 934b5854b3b2fba1ba84eb25d33e8f66ddb7b9c5617b0a1ffb822db2bfc3c07a
                                  • Instruction Fuzzy Hash: 82F0BE322852256BAF215B229D85B5B3F589B417E0F195037FC08EA290CE78EC008AEC
                                  Function 00454E60 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00454EB2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 78740692b221e79a9762ccbd46d7f188a31b2ad2167c780b1c1497364ca8ea36
                                  • Instruction ID: 7ed3afec28be053f9a77c7416a11cc0d573f769e31c405d3d1c7fe45b1d11b08
                                  • Opcode Fuzzy Hash: 78740692b221e79a9762ccbd46d7f188a31b2ad2167c780b1c1497364ca8ea36
                                  • Instruction Fuzzy Hash: D3F0E9B11002080AA628D7A1950796F77C89EA036DB44453FE9058FA53E73DEDD9825D
                                  Function 004406AD Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindNextFileW.KERNELBASE(00000000,?), ref: 004406F2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFindNext
                                  • String ID:
                                  • API String ID: 2029273394-0
                                  • Opcode ID: df8edaa59d5e1f82e8cad7747c6b34272b3092e2e70faf3eef711e3f2ee9bc11
                                  • Instruction ID: a1ffe5c8ce5f1f1a4397a2b9345f76ae3c812c30bf0ac5870f9d4861cf5b4c4e
                                  • Opcode Fuzzy Hash: df8edaa59d5e1f82e8cad7747c6b34272b3092e2e70faf3eef711e3f2ee9bc11
                                  • Instruction Fuzzy Hash: 95015631A0625DDFEB20DFA4D988BAEBBB4EF14314F2040DAD909A7282C7346E04DF55
                                  Function 0049D15A Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000001,0043FE44,?,004AD408,0043FE4A,0043FE44,?,?,?,00434C2F,0043FE48,0043FE48), ref: 0049D18C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 7ee9b205990c537f360d36ea94f63206e53d45b0dbf15067b0b63116574bd50f
                                  • Instruction ID: de2ad87b2feeaf860c8dfd974d012cc9eb33a1afe18dd843800594eb24cb3dbb
                                  • Opcode Fuzzy Hash: 7ee9b205990c537f360d36ea94f63206e53d45b0dbf15067b0b63116574bd50f
                                  • Instruction Fuzzy Hash: 08E0E533A0132166EF212BA6AD02B5B3E48CB513A0F190137EC18962C4CB28DC0082ED
                                  Function 004A8D62 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 3aba680758f6379cc1f0e69a772bc6cab6bd8c88bcc4b04971677c60b68784ff
                                  • Instruction ID: f589969de9c028132caa70972cc51c37c6bf7195d426b38a2c2fae52dece88af
                                  • Opcode Fuzzy Hash: 3aba680758f6379cc1f0e69a772bc6cab6bd8c88bcc4b04971677c60b68784ff
                                  • Instruction Fuzzy Hash: 71E09A76C4020D9ADB40DFD5C486BEFB7BCAB14304F50406BA205E6181EB7857448BE5
                                  Function 004BC233 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,00000000,?,004BC623,?,?,00000000,?,004BC623,?,0000000C), ref: 004BC250
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: dd275b77e4c8549b8163696f0af87788398892aa77d507c51891a1137c56f0af
                                  • Instruction ID: c65ff2ef24fd0563ec255788cd93a1d7270b85fbbbb51eec7110af243f851585
                                  • Opcode Fuzzy Hash: dd275b77e4c8549b8163696f0af87788398892aa77d507c51891a1137c56f0af
                                  • Instruction Fuzzy Hash: 05D06C3200010DBBDF028F84EC06FDA3BAAFB48714F018010BA1866020C732E821ABA4
                                  Function 004B9AE2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetNativeSystemInfo.KERNEL32(?,?,?,00486DD6,?,?,?,30B73C3E,?,?), ref: 004B9AEC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoNativeSystem
                                  • String ID:
                                  • API String ID: 1721193555-0
                                  • Opcode ID: 19af6f8f66515c3ad7801cfde8998948d5a7d817498514074e40bdf49eb42b08
                                  • Instruction ID: f88b8e15ca571a688dc5d535dfb7cb0f1e1a76fd2fb5174ce8f8aecae7ce3306
                                  • Opcode Fuzzy Hash: 19af6f8f66515c3ad7801cfde8998948d5a7d817498514074e40bdf49eb42b08
                                  • Instruction Fuzzy Hash: 0EC09B7490610E97CF00E7E5D94D88E77FCA608204F4004A1D551E3140E770FD45C795

                                  Non-executed Functions

                                  Function 0048A0A0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 325nativelibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(ntdll.dll,NtDuplicateObject,30B73C3E,?,?), ref: 0048A0F7
                                  • GetProcAddress.KERNEL32(00000000), ref: 0048A0FE
                                  • OpenProcess.KERNEL32(00000040,00000000,00000000), ref: 0048A12A
                                  • NtQuerySystemInformation.NTDLL ref: 0048A153
                                  • NtQuerySystemInformation.NTDLL ref: 0048A178
                                  • GetCurrentProcess.KERNEL32 ref: 0048A1FD
                                  • NtQueryObject.NTDLL ref: 0048A22B
                                  • GetFinalPathNameByHandleA.KERNEL32(00000000,00000000,00000104,00000000,00000104,?,00000104,00000000), ref: 0048A315
                                  • CloseHandle.KERNEL32(00000000), ref: 0048A3E6
                                  • CloseHandle.KERNEL32(00000000), ref: 0048A441
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$Query$CloseInformationProcessSystem$AddressCurrentFinalModuleNameObjectOpenPathProc
                                  • String ID: File$NtDuplicateObject$ntdll.dll
                                  • API String ID: 2729825427-3955674919
                                  • Opcode ID: 8320b73641bfe2fd6a36d39389df1be313783445bc61d84dd6fe8aca722285e2
                                  • Instruction ID: 0800680efb81c18e2f896ca5fb1c4f1751909ec1a20682d0b449f1ef79601e33
                                  • Opcode Fuzzy Hash: 8320b73641bfe2fd6a36d39389df1be313783445bc61d84dd6fe8aca722285e2
                                  • Instruction Fuzzy Hash: C3C1DE71D00218AFEF10EFA4DC45BAEBBB5FF44704F14452AE801A7281E7B9AD45CB96
                                  Function 00419770 Relevance: 19.9, Strings: 2, Instructions: 17397COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: >c8 $YD@
                                  • API String ID: 0-2642259206
                                  • Opcode ID: 9dcf1b6b055526eb8ca3ce4f11dbcb7f980ceb29aa0c624363f390bc07ec487a
                                  • Instruction ID: 09539a6074c3f18202d3a6a28530d7ff6b4f8ede69b731f3fb06677334c75715
                                  • Opcode Fuzzy Hash: 9dcf1b6b055526eb8ca3ce4f11dbcb7f980ceb29aa0c624363f390bc07ec487a
                                  • Instruction Fuzzy Hash: B0B4BCB4D0525E8FCB15CFA8D9916EEFBB1AF59304F204299E948B7311D7302A81CFA5
                                  Function 0047D2F0 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 410COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004517F0: Concurrency::cancel_current_task.LIBCPMT ref: 004518C2
                                    • Part of subcall function 0044DCC0: std::ios_base::_Addstd.LIBCPMT ref: 0044DDEF
                                    • Part of subcall function 00436640: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004366E9
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0047D95A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::ios_base::_$Ios_base_dtor$AddstdConcurrency::cancel_current_task
                                  • String ID: .cmd$.exe$.ps1$.vbs$.G$0hC$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$open$runas
                                  • API String ID: 2154145882-3307477358
                                  • Opcode ID: 272a3eff05d2f0994a98a4670cb8ea359793a3df70236ba5e5f34b7e97b052ef
                                  • Instruction ID: f5ba6b163c3a98fee3f853caf05b9595179ad2eb3f8f0c36a39513699dfd7300
                                  • Opcode Fuzzy Hash: 272a3eff05d2f0994a98a4670cb8ea359793a3df70236ba5e5f34b7e97b052ef
                                  • Instruction Fuzzy Hash: 6A122770D00268DFDB20DF64CD85BDEBBB4AF19304F1481EAE849A7282DB755A84CF95
                                  Function 00408270 Relevance: 12.0, Strings: 2, Instructions: 9466COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &iK$:v*-
                                  • API String ID: 0-925339778
                                  • Opcode ID: 6b47c74f841ad1849f2da8e01aa531820f855eb79643490a739ceb0f548cc6b8
                                  • Instruction ID: a5ef6df3ed742f4fc82cee9b264c17634f39eece1ce4240dfd370ecc90fa88ba
                                  • Opcode Fuzzy Hash: 6b47c74f841ad1849f2da8e01aa531820f855eb79643490a739ceb0f548cc6b8
                                  • Instruction Fuzzy Hash: 3F44BDB8D0525ECBCB15CFA8C991AEEBBB1BF49300F20429AD94977311D7341A85CFA5
                                  Function 004A70A7 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: 9bb7f0d4613073bb4100fe9d2ee9a21b6dd33393f0141ef8f2b167b3b51c02dc
                                  • Instruction ID: b32a4effb01217c3c1626ef3a6516b83a08c7bb55f85dd273b9c2c9ced56d987
                                  • Opcode Fuzzy Hash: 9bb7f0d4613073bb4100fe9d2ee9a21b6dd33393f0141ef8f2b167b3b51c02dc
                                  • Instruction Fuzzy Hash: 9ED21871E086288FDB75CE28CD407EAB7B5EB66315F1441EBD40DA7240EB78AE818F45
                                  Function 00479130 Relevance: 9.4, Strings: 7, Instructions: 665COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: IG$build_name$extensions$grabber_max_size$links$port$self_destruct
                                  • API String ID: 0-2908327215
                                  • Opcode ID: a51a615a470fb458997f34786117d96a264bb7b4b8cc7aaf03e891e1d6a13de9
                                  • Instruction ID: 544ee5dbb5ec9ed8f40eee544311bb513f632f9a1e78c8f4acb08f2b7fcbd3bd
                                  • Opcode Fuzzy Hash: a51a615a470fb458997f34786117d96a264bb7b4b8cc7aaf03e891e1d6a13de9
                                  • Instruction Fuzzy Hash: DC72F070D04358DBDB18DFA8D990BEDBBB1BF59304F20819AE449AB352DB346A85CF44
                                  Function 0046B620 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 331COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B7DA
                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B81E
                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B924
                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0046B970
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_fs_directory_iterator_advance@8
                                  • String ID: .
                                  • API String ID: 2610647541-248832578
                                  • Opcode ID: 2e775b534ccb48514fa1d19158a196e6f147d360d3fd40777325cb8899fa8bdc
                                  • Instruction ID: 99e23c5b304899c8ab8714ce46d423df57297e0934c6bc539a0dfe6d7ec6f1b4
                                  • Opcode Fuzzy Hash: 2e775b534ccb48514fa1d19158a196e6f147d360d3fd40777325cb8899fa8bdc
                                  • Instruction Fuzzy Hash: 77C1BF75A016269FCB20DF18C8847AAB3B5FF44314F14829AD915D7390EB39AD85CFC6
                                  Function 004A6109 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(?,2000000B,004A641B,00000002,00000000,?,?,?,004A641B,?,00000000), ref: 004A61A2
                                  • GetLocaleInfoW.KERNEL32(?,20001004,004A641B,00000002,00000000,?,?,?,004A641B,?,00000000), ref: 004A61CB
                                  • GetACP.KERNEL32(?,?,004A641B,?,00000000), ref: 004A61E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 83dfd683b9c94d176d38183288480b868ca78ec3c44069a2c66a1e4373e54840
                                  • Instruction ID: 02a1f9ff6d074017cf30d732e6d651dacf3b6180dce544ba7b26bbdffeda2481
                                  • Opcode Fuzzy Hash: 83dfd683b9c94d176d38183288480b868ca78ec3c44069a2c66a1e4373e54840
                                  • Instruction Fuzzy Hash: 14217731B00101A6DB348F54C901A9BBBA7EB76B54B5F8466E909D7302EB36DE41C358
                                  Function 004A62E5 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004992A7: GetLastError.KERNEL32(00000000,?,004A2D01), ref: 004992AB
                                    • Part of subcall function 004992A7: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 0049934D
                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004A63ED
                                  • IsValidCodePage.KERNEL32(00000000), ref: 004A642B
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 004A643E
                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004A6486
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004A64A1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                  • String ID:
                                  • API String ID: 415426439-0
                                  • Opcode ID: 478fc60fa90a9ec9e197162e05efa7e840982a7b058c794a341e424fb9183a7c
                                  • Instruction ID: c25bf07a23f3a9ec008bfe0b344d9b34e57977eb2ee5f51d57588e3c0d66081e
                                  • Opcode Fuzzy Hash: 478fc60fa90a9ec9e197162e05efa7e840982a7b058c794a341e424fb9183a7c
                                  • Instruction Fuzzy Hash: B351C031A00205ABDF10DFA5CC41AAF77B8BF2A700F09446BF905EB2C0D778D9058B68
                                  Function 0042D150 Relevance: 6.9, APIs: 1, Strings: 2, Instructions: 1683COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0042E6CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: !dYH$6b6=
                                  • API String ID: 118556049-155378937
                                  • Opcode ID: 016e682e6e92c56b7e5f52a4a6c50224f71debeb36c814b1b43eac77d68e84f3
                                  • Instruction ID: 3adec6fdbd1554a06cbe821abd73873d9aa74c181532ca023f18934c78765b13
                                  • Opcode Fuzzy Hash: 016e682e6e92c56b7e5f52a4a6c50224f71debeb36c814b1b43eac77d68e84f3
                                  • Instruction Fuzzy Hash: 6023CDB8D0525CCBDB25CFA8C990AEDBBB1BF59300F24429AD84977311E7742A86CF54
                                  Function 00498574 Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0049859D
                                  • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 004985B1
                                  • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00498602
                                  • VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00498617
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocInfoProtectQuerySystem
                                  • String ID:
                                  • API String ID: 3562403962-0
                                  • Opcode ID: 4e29c64980591c23c9d6474b97963c5f1eeeaad4aec7d0b9861b07a888b65890
                                  • Instruction ID: 57c86550534b148c15952eeeaf39776b02a492ab104de77fe61266457f658886
                                  • Opcode Fuzzy Hash: 4e29c64980591c23c9d6474b97963c5f1eeeaad4aec7d0b9861b07a888b65890
                                  • Instruction Fuzzy Hash: 91217C72E00119ABCF20DFA9DD85AEFBBB8EF45754F05017AE905E7140EA349D04C794
                                  Function 004AC6BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004AC6CB
                                  • IsDebuggerPresent.KERNEL32 ref: 004AC797
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004AC7B0
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 004AC7BA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                  • String ID:
                                  • API String ID: 254469556-0
                                  • Opcode ID: 1a5f2cb74b25642d18f707c0b6da8939d9b46288bf323feffe580c9d32bdbba1
                                  • Instruction ID: 70dc3419eb2b6db1900c7bd06373213fcab329736da06f39ceabfcfe7a7444e5
                                  • Opcode Fuzzy Hash: 1a5f2cb74b25642d18f707c0b6da8939d9b46288bf323feffe580c9d32bdbba1
                                  • Instruction Fuzzy Hash: E1314A75C012189BDF21DF61DC897CEBBB8BF18700F1041AAE40DAB250E7759A84CF48
                                  Function 0043D4A0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 725COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: content$filename
                                  • API String ID: 0-474635906
                                  • Opcode ID: b66f7423e610c841824d5b72251d930196416b83facb86d1c8f8609f3cb58a8b
                                  • Instruction ID: d087ffba84baf14db51f89a037efaf3a0efd4671473d6540ebf1f333b1c0f3d3
                                  • Opcode Fuzzy Hash: b66f7423e610c841824d5b72251d930196416b83facb86d1c8f8609f3cb58a8b
                                  • Instruction Fuzzy Hash: 5392EEB0C052AC9BDB66DF68D9857DDBBB4AF18308F1441DAE80CA7252EB741B84CF45
                                  Function 004B824D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,00435B2A,?,?), ref: 004B8261
                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000,?,?,00435B2A,?,?), ref: 004B8288
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FormatInfoLocaleMessage
                                  • String ID: !x-sys-default-locale
                                  • API String ID: 4235545615-2729719199
                                  • Opcode ID: 84205eb8d4b061531bed3096fe064d3d6fd842fcad4d2f7a7c64ada32d2dc388
                                  • Instruction ID: 4f66f40a8a4f046c7b0032d4e1a4b833dd41128cf422eed9181fa496fdef01a0
                                  • Opcode Fuzzy Hash: 84205eb8d4b061531bed3096fe064d3d6fd842fcad4d2f7a7c64ada32d2dc388
                                  • Instruction Fuzzy Hash: 1AF030B5511108FFEF089BD5DC0EEEB77ACEB09394F10416AB501D6150E6B0AE00D778
                                  Function 004BA04D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004805F0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,30B73C3E,00000000,004BCF70,000000FF,?,?,00513FC8), ref: 00480617
                                    • Part of subcall function 004805F0: GetLastError.KERNEL32(?,00000000,00000000,30B73C3E,00000000,004BCF70,000000FF,?,?,00513FC8), ref: 00480621
                                  • IsDebuggerPresent.KERNEL32(?,?,?,00434B5D), ref: 004BA080
                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00434B5D), ref: 004BA08F
                                  Strings
                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004BA08A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                  • API String ID: 3511171328-631824599
                                  • Opcode ID: c51739a2d2ef137336e9adc3b97a1d747fb81e18f3053d9a6155fde0035c1d30
                                  • Instruction ID: d36ccacf6001ae6edc25a42526d65594664b7a1234a3e60676ee06f56b9b42c5
                                  • Opcode Fuzzy Hash: c51739a2d2ef137336e9adc3b97a1d747fb81e18f3053d9a6155fde0035c1d30
                                  • Instruction Fuzzy Hash: 64E065701007018FD330AF3AD40C3467BE0AB14304F00882FD945C7750E7B9D4088B66
                                  Function 00474190 Relevance: 3.9, Strings: 3, Instructions: 192COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: invalid BOM; must be 0xEF 0xBB 0xBF if given$invalid literal$null
                                  • API String ID: 0-704505451
                                  • Opcode ID: c2853c1b5150f4562c75b0c9af08e518547b875ff11f585f7cc727e4d436818e
                                  • Instruction ID: 900511fe56f482f81459f08a410c1a76c5e1d1655cedb158031f5ff095a229d0
                                  • Opcode Fuzzy Hash: c2853c1b5150f4562c75b0c9af08e518547b875ff11f585f7cc727e4d436818e
                                  • Instruction Fuzzy Hash: 315183307001089BCB24EF79A5527BDB3E4DB95314F00859FE80E8BBC2DF69AA5497D9
                                  Function 004320A0 Relevance: 2.8, Strings: 1, Instructions: 1521COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: mce
                                  • API String ID: 0-4153875931
                                  • Opcode ID: a73292159e262abdb433d94eaae0cf6bfd02510e463947a96e78a37495f057a5
                                  • Instruction ID: f690702d9b6e5b1c8f3d94d1572842c367def53288e29523866870a81cfcc782
                                  • Opcode Fuzzy Hash: a73292159e262abdb433d94eaae0cf6bfd02510e463947a96e78a37495f057a5
                                  • Instruction Fuzzy Hash: 0603DCB8D0424A9FDB04CF98D591AEEBFB1FF59304F248119D945BB302D7312A89CBA5
                                  Function 00407470 Relevance: 2.3, APIs: 1, Instructions: 833COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00407D8B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: fe31969a8a19a14cbb2cc1aa8e38a226629513882e496fcef040987109d5691f
                                  • Instruction ID: 812474a2bd2a8ecf408f930e0567eb9d9337a7355d6dea629df30afde2b5ebb2
                                  • Opcode Fuzzy Hash: fe31969a8a19a14cbb2cc1aa8e38a226629513882e496fcef040987109d5691f
                                  • Instruction Fuzzy Hash: 7BA2D0B4D0429D8BDB15CFA8C9816EEBBB1FF58304F20819AD949BB345DB341A89CF54
                                  Function 0047E580 Relevance: 1.9, APIs: 1, Instructions: 415COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00481970: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,30B73C3E), ref: 004819D8
                                  • ShellExecuteW.SHELL32(00000000,?,?,?,00000000,00000000), ref: 0047EC85
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteFileModuleNameShell
                                  • String ID:
                                  • API String ID: 1703432166-0
                                  • Opcode ID: 7424804a8784dfbdf273c5a717085f3b2be6b7ed6bb5d16cf0bfa5b6ce38600f
                                  • Instruction ID: 2a91a513cc0bd4868b0af53c92a7a879c8891e0eaa161494f23d7b10a733aea0
                                  • Opcode Fuzzy Hash: 7424804a8784dfbdf273c5a717085f3b2be6b7ed6bb5d16cf0bfa5b6ce38600f
                                  • Instruction Fuzzy Hash: 5032AEB4D0625CEBDB25CF98E981ADDBBB1FF48314F24419AE809A7341E7706A85CF44
                                  Function 00462080 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00462407
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 998b97963232ca513792be5bccec286f05fd367684fe6908831998ecf4a6ed59
                                  • Instruction ID: ef4cf88e9a4fdd266e31e3aa05a67ef024deafe90fb21754261dea51a8be5403
                                  • Opcode Fuzzy Hash: 998b97963232ca513792be5bccec286f05fd367684fe6908831998ecf4a6ed59
                                  • Instruction Fuzzy Hash: 87D18A31D04A49DFCB05CFA8C9806ADFBF1BF59310F18865AD841EB341E7B4A985CB95
                                  Function 00462410 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00462797
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 77eb809091e37f4e40faa665b14a1fdc1f259fd5624333971882c80142aac5d8
                                  • Instruction ID: ac15f3507e96ea44d263738e0e8876a083df1079939a1e49c6866d189bdfc312
                                  • Opcode Fuzzy Hash: 77eb809091e37f4e40faa665b14a1fdc1f259fd5624333971882c80142aac5d8
                                  • Instruction Fuzzy Hash: 25D1AB31E0464ADFCB04CFA8C9806ADFBF0BF59310F18865AD841EB341E7B4A941CB95
                                  Function 004A620F Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004992A7: GetLastError.KERNEL32(00000000,?,004A2D01), ref: 004992AB
                                    • Part of subcall function 004992A7: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 0049934D
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004A5FA9,00000000,00000000,?), ref: 004A623B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale
                                  • String ID:
                                  • API String ID: 3736152602-0
                                  • Opcode ID: afed30a40adaf0fe2c2ae6d6b95a375c8a19700a8aa4b2d509547a2ce32d92aa
                                  • Instruction ID: 9487850153f17b5aff8b54b84101990ee62d9d6b8c11e223cf6e38bc87e8a6da
                                  • Opcode Fuzzy Hash: afed30a40adaf0fe2c2ae6d6b95a375c8a19700a8aa4b2d509547a2ce32d92aa
                                  • Instruction Fuzzy Hash: 3C01DB33A10112ABDF286A658D06BBB7768DB51754F1A446FEC06A3680DA38ED41C698
                                  Function 00468750 Relevance: .4, Instructions: 402COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 346dc23a3b721231884126440995aecd87b62a600a1fea4fb977c7ca1dd55190
                                  • Instruction ID: f8786dd4fa61ba6b8208f2a0da3dfae63e0824739066c1b4c5cfb23239ebdf74
                                  • Opcode Fuzzy Hash: 346dc23a3b721231884126440995aecd87b62a600a1fea4fb977c7ca1dd55190
                                  • Instruction Fuzzy Hash: A2F149B2E112198FDF08CF99D8915EEBBB2BFC8310B29826ED41667344DB346D05CB95
                                  Function 004A5426 Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast
                                  • String ID:
                                  • API String ID: 1452528299-0
                                  • Opcode ID: 9194f5c757f1635d934fcc685d379f44141296be3cd9e06fdbc5599b6296e9cf
                                  • Instruction ID: a96efd13eabcb712d80455b2c4eda02400c9a3c9733d671832283fb3a4145ee2
                                  • Opcode Fuzzy Hash: 9194f5c757f1635d934fcc685d379f44141296be3cd9e06fdbc5599b6296e9cf
                                  • Instruction Fuzzy Hash: B1B13975500B019FDB389B25CD92BB7B3E9EF65308F44442FE947C6680EA78E985CB18
                                  Function 004B6380 Relevance: .3, Instructions: 305COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a7fb0066ca0e63ce1a3140edfe9943461d3f2e4af0e2cb6d3b63da6b91ab0d1
                                  • Instruction ID: b44fcc7ce13d6765da29ef4693de0a604283395fac7cf3727fef9bca0c1881a8
                                  • Opcode Fuzzy Hash: 0a7fb0066ca0e63ce1a3140edfe9943461d3f2e4af0e2cb6d3b63da6b91ab0d1
                                  • Instruction Fuzzy Hash: 07E1A551C4CBD891E6274B3D88426E2F3F4BFF9219F15A706EEE422421FB3662C68751
                                  Function 00461250 Relevance: .3, Instructions: 282COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0ba32d3d0f547d4e0c0c2ee68133de1f9df539ce713836f75fcdfe5a29b6232
                                  • Instruction ID: aec3b6c702971bbda01d5f983ffd6c32ec602d3d125e3ae181568633efd48618
                                  • Opcode Fuzzy Hash: f0ba32d3d0f547d4e0c0c2ee68133de1f9df539ce713836f75fcdfe5a29b6232
                                  • Instruction Fuzzy Hash: E5C17B71E04649DFCB04CFA8C880AACFBB1BF59310F18826EE856E7351E734A955CB95
                                  Function 0045C4C0 Relevance: .2, Instructions: 215COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 66c816971dc4f363f466b11f2f4d5d7ddc684e31de2e014f784be5717bcb0236
                                  • Instruction ID: df46be6a361dd8f15a6f1edf4f2d8fac6e56a2b7ec9f979b005a651a2e3504fb
                                  • Opcode Fuzzy Hash: 66c816971dc4f363f466b11f2f4d5d7ddc684e31de2e014f784be5717bcb0236
                                  • Instruction Fuzzy Hash: 1B715372E1061A9FCB14CFADC9805AEB7F1FB88314F15822AE816E7345E774E905CB94
                                  Function 0044E020 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0044E070
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0044E092
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0044E0BA
                                  • std::_Facet_Register.LIBCPMT ref: 0044E1D0
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0044E1FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: cC$`aC$p]C
                                  • API String ID: 459529453-2177106863
                                  • Opcode ID: 0ec5fc01751d5b833a82cdbf1fb86bd01fb7cc1a0f61e7ee4049cbe82690b1d5
                                  • Instruction ID: 1ff138599dd9b712ad814e44402e9ca08be03e0a2a2e3ebe43d51928b08ed38c
                                  • Opcode Fuzzy Hash: 0ec5fc01751d5b833a82cdbf1fb86bd01fb7cc1a0f61e7ee4049cbe82690b1d5
                                  • Instruction Fuzzy Hash: 99518BB0D00259DBEB10CF99C8457AEBBB4FB18314F24815ED811AB381DB79AA44CBA5
                                  Function 00452250 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0045228D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004522AF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004522D7
                                  • __Getcoll.LIBCPMT ref: 0045239F
                                  • std::_Facet_Register.LIBCPMT ref: 004523EB
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00452415
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                  • String ID: `aC$p]C
                                  • API String ID: 1184649410-1363152631
                                  • Opcode ID: ffb4109bd5f0e03f7653836359533883caddf3a46b152359ef2760dfe1b9c1ae
                                  • Instruction ID: 568a7e1164ae6cef3cf0599e82aad122ccc02b6897634e5ab4797aad8f19cd87
                                  • Opcode Fuzzy Hash: ffb4109bd5f0e03f7653836359533883caddf3a46b152359ef2760dfe1b9c1ae
                                  • Instruction Fuzzy Hash: 49518B70800208DFDB01DF95C9457DEBBB4FF55318F24815ED805AB282DBB9AE49CBA9
                                  Function 0047D190 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(File Downloader,00000001,00000000,00000000,00000000), ref: 0047D22D
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 0047D256
                                  • InternetReadFile.WININET(00000000,?,00001000,00000000), ref: 0047D27C
                                  • InternetReadFile.WININET(00000000,?,00001000,00000000), ref: 0047D2B2
                                  • InternetCloseHandle.WININET(00000000), ref: 0047D2B9
                                  • InternetCloseHandle.WININET(?), ref: 0047D2C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandleOpenRead
                                  • String ID: File Downloader
                                  • API String ID: 4038090926-3631955488
                                  • Opcode ID: 811208fdf33a36e9be3e42b468326af56e319a1deb0617af28b90d4cff8a8570
                                  • Instruction ID: 638e9360adee8abd238f5bb9f06079602c51a7af3a4d5d450420b7b82b1eb562
                                  • Opcode Fuzzy Hash: 811208fdf33a36e9be3e42b468326af56e319a1deb0617af28b90d4cff8a8570
                                  • Instruction Fuzzy Hash: 5B318370A01655ABD730CF55CC45BEAB7B8EF44700F1041AAF549E7290DBB8AE84DFA8
                                  Function 004AD600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 004AD637
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 004AD63F
                                  • _ValidateLocalCookies.LIBCMT ref: 004AD6C8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 004AD6F3
                                  • _ValidateLocalCookies.LIBCMT ref: 004AD748
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 255d3a1bd88e468a9ea08ee1f7f85cdc8f29e10e22a0162dea8eb7e65443c785
                                  • Instruction ID: fca86a332ffc7d642b39a5fdc798139505592cae81a3a9a41e25a428a24f43dc
                                  • Opcode Fuzzy Hash: 255d3a1bd88e468a9ea08ee1f7f85cdc8f29e10e22a0162dea8eb7e65443c785
                                  • Instruction Fuzzy Hash: 2741D834E002089BCF10DF69C880A9E7BB5BF66318F14815BE81A5B752D739EA01CF95
                                  Function 00436640 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004366E9
                                    • Part of subcall function 004AFA0C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0043FE44,?,?,?,004B9080,0043FE44,00513AB0,?,0043FE44,?,?,0000000C,30B73C3E), ref: 004AFA6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                                  • String ID: (>Q$0hC$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 1903096808-798308736
                                  • Opcode ID: 0ed2678322210cc8cc3a07b91dadb1e30d188d3d66194e55af3b44069607d8cc
                                  • Instruction ID: 0e9c3b5a5aba75944b05d252eccadd5948fd44e578ec9c0118fa22ff265feac2
                                  • Opcode Fuzzy Hash: 0ed2678322210cc8cc3a07b91dadb1e30d188d3d66194e55af3b44069607d8cc
                                  • Instruction Fuzzy Hash: 4E1122B29046487BD710DB59DC02FAA7398EB09754F04862FFD58872C1EB3DA90487AA
                                  Function 0049D57F Relevance: 9.3, APIs: 6, Instructions: 329COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8a850e4bd8366f6602f7f439948ddd996ec0ba155590deffeea4e3919eff859f
                                  • Instruction ID: c45b587b2b6024bbc8d631f61cfde13028adc071dc65d72902c8bf59655bd6a7
                                  • Opcode Fuzzy Hash: 8a850e4bd8366f6602f7f439948ddd996ec0ba155590deffeea4e3919eff859f
                                  • Instruction Fuzzy Hash: 64B13572D00255AFDF11DF64CC81BAA7FA5EF55310F1441BBE454AB382D2789D01C7A9
                                  Function 004A2113 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 370COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16
                                  • String ID: a/p$am/pm
                                  • API String ID: 3509577899-3206640213
                                  • Opcode ID: 2f1fc7fa59a782c27ac2a0a21d9667bbb23879f6a72bde815bccda8bcba835b0
                                  • Instruction ID: 1d0f90a389a6ddb01c6eee3cfed114d4cdbff39c5c4e16d1e763b1923b69fac5
                                  • Opcode Fuzzy Hash: 2f1fc7fa59a782c27ac2a0a21d9667bbb23879f6a72bde815bccda8bcba835b0
                                  • Instruction Fuzzy Hash: 32C1BF35904212AADB298F6CCA947BB77B0FF2B300F14405BE905AB750D3BD9D42EB59
                                  Function 0048A490 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(30B73C3E), ref: 0048A4E4
                                  • FreeEnvironmentStringsW.KERNEL32(?), ref: 0048A685
                                  • RtlInitUnicodeString.NTDLL(?), ref: 0048A6D9
                                  • RtlInitUnicodeString.NTDLL(?,00000000), ref: 0048A6E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnvironmentInitStringStringsUnicode$Free
                                  • String ID: 0Q8w
                                  • API String ID: 2488768755-1710177118
                                  • Opcode ID: 0d066fd5a037e956643cd3d92a9a96980abf0cb91633621b3d58d647d7d5a7ef
                                  • Instruction ID: 1a99e4392def1b605416f46e3147960cb17592dd8275db88d5f878599104deaf
                                  • Opcode Fuzzy Hash: 0d066fd5a037e956643cd3d92a9a96980abf0cb91633621b3d58d647d7d5a7ef
                                  • Instruction Fuzzy Hash: 6471AAB1C10219EBDB00DF98C884B9EFBF8FF18304F14461BE815A3250E7B8A995CB95
                                  Function 004B82A1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(kernel32.dll,30B73C3E,?,?,004CEC14,000000FF,?,004B87C4,00000105,?,00000000,?,?,?,0047FCE3), ref: 004B82C9
                                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004B82D5
                                  • GetTempPathW.KERNEL32(?,?,004CEC14,000000FF,?,004B87C4,00000105,?,00000000,?,?,?,0047FCE3,?,00000105,?), ref: 004B82F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModulePathProcTemp
                                  • String ID: GetTempPath2W$kernel32.dll
                                  • API String ID: 775647363-1846531799
                                  • Opcode ID: f1cf7476179f5a48e5f157bd4a6fca76b08ed530dfc52bf4d8c2badd71eabe8a
                                  • Instruction ID: 490c9918516094a75be01d3e1b1e27de5ce3fa518d230e70400d3a931493a6c9
                                  • Opcode Fuzzy Hash: f1cf7476179f5a48e5f157bd4a6fca76b08ed530dfc52bf4d8c2badd71eabe8a
                                  • Instruction Fuzzy Hash: C2F03A36A44654EFCB159F54EC05F9A7BA8FB09B60F008127EC16937A0DB79A800CB98
                                  Function 004B9258 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004B925F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004B926A
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004B92D8
                                    • Part of subcall function 004B93BB: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004B93D3
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 004B9285
                                  • _Yarn.LIBCPMT ref: 004B929B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                  • String ID:
                                  • API String ID: 1088826258-0
                                  • Opcode ID: 9529708b05f48a18c841b776fc683316fa11b0247fd455af3d56381143c4ee67
                                  • Instruction ID: d57bef6452a6d9f87b7c1f6c81a415e25ff1084f0ba862d3ffc406506ccaed08
                                  • Opcode Fuzzy Hash: 9529708b05f48a18c841b776fc683316fa11b0247fd455af3d56381143c4ee67
                                  • Instruction Fuzzy Hash: 2101BC75A002149BDB09EF21E881ABE3BA5BF95714B18400EE90157381CF78AE42DBE9
                                  Function 0047F2C0 Relevance: 6.5, APIs: 4, Instructions: 457registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0051C570,00000000,00020019,00000000,?,?,?,30B73C3E,?,0051C2A0), ref: 0047F4D0
                                  • RegQueryValueExA.ADVAPI32(00000000,0051C2A0,00000000,000F003F,?,00000400,?,?,?,30B73C3E,?,0051C2A0), ref: 0047F506
                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,30B73C3E,?,0051C2A0), ref: 0047F5A4
                                  • SysFreeString.OLEAUT32 ref: 0047FA14
                                    • Part of subcall function 0047A610: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0047A678
                                    • Part of subcall function 0047A610: LocalFree.KERNEL32(?,00000000), ref: 0047A70F
                                    • Part of subcall function 004870B0: RegOpenKeyExA.KERNEL32(80000001,0051C570,00000000,00020019,00000000,30B73C3E,0051C570,0051C2A0), ref: 00487182
                                    • Part of subcall function 004870B0: RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400), ref: 004871B6
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeOpenQueryValue$CloseCryptDataLocalStringUnprotect
                                  • String ID:
                                  • API String ID: 2380017125-0
                                  • Opcode ID: 24e19619ec6861878dd46b4612fd45863707030a07a4499d5f6f29efbc7ef892
                                  • Instruction ID: 56cbdaf4eb2024de0fd4bd59dbcd72090a4e5b75bdf23aa4f75e7a392944198d
                                  • Opcode Fuzzy Hash: 24e19619ec6861878dd46b4612fd45863707030a07a4499d5f6f29efbc7ef892
                                  • Instruction Fuzzy Hash: 24122BF0E002689BDB24DF24CC5479DB7B5AF44318F1086EAD64DA7282DB346E88CF59
                                  Function 0049B476 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleOutputCP.KERNEL32(30B73C3E,00000000,00000000,00000000), ref: 0049B4D9
                                    • Part of subcall function 004A1489: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0049B05F,?,00000000,-00000008), ref: 004A14EA
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0049B72B
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0049B771
                                  • GetLastError.KERNEL32 ref: 0049B814
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                  • String ID:
                                  • API String ID: 2112829910-0
                                  • Opcode ID: aef57a059a08420b8d5dfae5096d35553b8056bffb0ce8bb8e63412c3f54050f
                                  • Instruction ID: 17746d06032e39ca1db24970b21defb679d9c3d722e4804f7fdb3bafa319cb4d
                                  • Opcode Fuzzy Hash: aef57a059a08420b8d5dfae5096d35553b8056bffb0ce8bb8e63412c3f54050f
                                  • Instruction Fuzzy Hash: 15D17A75D002489FCF05CFE9E980AEDBBB5EF49314F18816AE425EB351D734A906CB94
                                  Function 00478300 Relevance: 6.3, APIs: 4, Instructions: 321COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00477B00: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,30B73C3E,?,?), ref: 00477B54
                                    • Part of subcall function 00477B00: Process32FirstW.KERNEL32(00000000,?), ref: 00477BB9
                                    • Part of subcall function 00477B00: CloseHandle.KERNEL32(00000000), ref: 00477E84
                                  • ImpersonateLoggedOnUser.ADVAPI32(00000000,30B73C3E,?,00000000), ref: 00478391
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateFirstHandleImpersonateLoggedProcess32SnapshotToolhelp32User
                                  • String ID:
                                  • API String ID: 1507787261-0
                                  • Opcode ID: ebec02cd2df44e7bd4fb65aecaaffec3bb885a70c3ad5895e8640ffefb46c4a4
                                  • Instruction ID: e502c6a69380433c55fd31efa36561dbf437e01bd72b95285a5588c942f2c0dc
                                  • Opcode Fuzzy Hash: ebec02cd2df44e7bd4fb65aecaaffec3bb885a70c3ad5895e8640ffefb46c4a4
                                  • Instruction Fuzzy Hash: F5F17070C0428DDEEB15DBA4C8587DDBBB0AF15308F24819ED04977292DB785F88DBA6
                                  Function 004A077A Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00fa7b59af023eaaf071b224feea6c80f4edf5776798c8ca34953c892f2afd27
                                  • Instruction ID: 6bad779769d7c9384c33fcc5b288381071ef860472916b423066c301ca7f7ee1
                                  • Opcode Fuzzy Hash: 00fa7b59af023eaaf071b224feea6c80f4edf5776798c8ca34953c892f2afd27
                                  • Instruction Fuzzy Hash: D141E675A00704AFDB24AF39CC41B6BBBA9EB99714F20452FF101DB781D77DA9418B88
                                  Function 004AB379 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 004AB381
                                    • Part of subcall function 004A1489: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0049B05F,?,00000000,-00000008), ref: 004A14EA
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004AB3B9
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004AB3D9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 158306478-0
                                  • Opcode ID: 0a2ae24b67922771a560a7bfaf211a935735e21397bf4215f271d900e53f356c
                                  • Instruction ID: 352b9fd8ff6adfd48aa864b65f723ba5a946c2f7c3dd1541d1c3166fed4ac287
                                  • Opcode Fuzzy Hash: 0a2ae24b67922771a560a7bfaf211a935735e21397bf4215f271d900e53f356c
                                  • Instruction Fuzzy Hash: B21156B19015157E7A1167B65C8AD6F6A5CDE5A398B10403BF801D1203EB7D9D0245BA
                                  Function 004B8430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • WideCharToMultiByte.KERNEL32(00000001,00000400,30B73C3E,00000000,00000000,00000000,00000000,00000000,00000001,?,?,0044E5F3,?,?,00000000,00000000), ref: 004B844D
                                  • GetLastError.KERNEL32(?,?,0044E5F3,?,?,00000000,00000000,00000000,30B73C3E,00000001), ref: 004B8459
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,30B73C3E,00000000,00000000,00000000,00000000,00000000,?,?,0044E5F3,?,?,00000000,00000000,00000000), ref: 004B847F
                                  • GetLastError.KERNEL32(?,?,0044E5F3,?,?,00000000,00000000,00000000,30B73C3E,00000001), ref: 004B848B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide
                                  • String ID:
                                  • API String ID: 203985260-0
                                  • Opcode ID: b17853a5fac4461212df69502fdb333749a3d57a63655a8d7d2491092ae6608b
                                  • Instruction ID: 6b90caf3a67b14ffb57c64759c70b961d31bb881305e702148557666a2de5e43
                                  • Opcode Fuzzy Hash: b17853a5fac4461212df69502fdb333749a3d57a63655a8d7d2491092ae6608b
                                  • Instruction Fuzzy Hash: FB01BF36601156BFCF224F95DC08E9F3F7AEBD9791F118029FA0556220DA31C922EBA5
                                  Function 004A95E5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000), ref: 004A95FC
                                  • GetLastError.KERNEL32(?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000,00000000,00000000,?,0049BE42,?), ref: 004A9608
                                    • Part of subcall function 004A95CE: CloseHandle.KERNEL32(FFFFFFFE,004A9618,?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000,00000000,00000000), ref: 004A95DE
                                  • ___initconout.LIBCMT ref: 004A9618
                                    • Part of subcall function 004A9590: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004A95BF,004A6707,00000000,?,0049B868,00000000,00000000,00000000,00000000), ref: 004A95A3
                                  • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,004A671A,00000000,00000001,0000000C,00000000,?,0049B868,00000000,00000000,00000000,00000000), ref: 004A962D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: 798d55b3f7968c96ef430ebc1f18d2e2465c9867b2c7648d7be43d295ef59026
                                  • Instruction ID: 8abc0c58445a332f8c6052495b9482a66327941653e6e46fd38a52645a0d97bb
                                  • Opcode Fuzzy Hash: 798d55b3f7968c96ef430ebc1f18d2e2465c9867b2c7648d7be43d295ef59026
                                  • Instruction Fuzzy Hash: DCF01237441215BBCF521F91DC09ACE3F66EF19364F024426FA2C86120C6368D60DB94
                                  Function 004B01F1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • EncodePointer.KERNEL32(00000000,?), ref: 004B0216
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID: MOC$RCC
                                  • API String ID: 2118026453-2084237596
                                  • Opcode ID: f6a5424a3b0add0d67cdb7a4433499b834c2692f3a3c89efa9c8eec31821c917
                                  • Instruction ID: 70788f387beb527cb8114cdc5e5f216b8ccff70d73c61da87df7ae4bd57bd2ae
                                  • Opcode Fuzzy Hash: f6a5424a3b0add0d67cdb7a4433499b834c2692f3a3c89efa9c8eec31821c917
                                  • Instruction Fuzzy Hash: EE415871900209AFCF16CF98CD85AEEBBB5FF48305F18809AFA0567211D3399950DB68
                                  Function 0048A6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlInitUnicodeString.NTDLL(?), ref: 0048A6D9
                                  • RtlInitUnicodeString.NTDLL(?,00000000), ref: 0048A6E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2343894867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_gem1.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitStringUnicode
                                  • String ID: 0Q8w
                                  • API String ID: 4228678080-1710177118
                                  • Opcode ID: 7daf87f8c1ea5e59ace241312ec7f61dd946e809b9173c130261c4fe55fa0827
                                  • Instruction ID: 9965e4e76de23dc0ee0a0bab637c9cbc157b952fc1d2a329a02330ce3ace71f2
                                  • Opcode Fuzzy Hash: 7daf87f8c1ea5e59ace241312ec7f61dd946e809b9173c130261c4fe55fa0827
                                  • Instruction Fuzzy Hash: 7CF03036140649DFC701CF99E888D96B7ECBB6C3107548453E945C7620C232F8A9CB61