Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cloudflare.msi

Overview

General Information

Sample name:cloudflare.msi
Analysis ID:1573183
MD5:5d2922491b47e1c355103194e069e5ac
SHA1:eb918f926c9cc2f9239f1dfe0380727c8170982c
SHA256:c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0
Tags:193-188-22-40msiuser-JAMESWT_MHT
Infos:

Detection

DanaBot
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3052 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\cloudflare.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 1424 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • AudioReaderXL.exe (PID: 884 cmdline: "C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe" MD5: 5D8A546C266CC1D2F14B3BE5C662C67A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social usering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.AudioReaderXL.exe.88f0000.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.AudioReaderXL.exe.88f0000.3.unpackJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
                3.2.AudioReaderXL.exe.88f0000.3.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x32cfaa:$f1: FileZilla\recentservers.xml
                • 0x32cf66:$f2: FileZilla\sitemanager.xml
                • 0x3584e8:$b1: Chrome\User Data\
                • 0x35ef60:$b1: Chrome\User Data\
                • 0x35fa7c:$b1: Chrome\User Data\
                • 0x33f738:$b2: Mozilla\Firefox\Profiles
                • 0x353420:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x37e19c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x351e0a:$b4: Opera Software\Opera Stable\Login Data
                • 0x3585b8:$b5: YandexBrowser\User Data\
                • 0x370e4e:$s5: account.cfn
                • 0x3512e8:$s6: wand.dat
                • 0x350d9c:$a1: username_value
                • 0x35735c:$a1: username_value
                • 0x35762c:$a1: username_value
                • 0x359ae0:$a1: username_value
                • 0x350dc8:$a2: password_value
                • 0x3573b4:$a2: password_value
                • 0x357684:$a2: password_value
                • 0x359b38:$a2: password_value
                • 0x35abdc:$a3: encryptedUsername

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe, ProcessId: 884, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Advanced Chart Manager

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-11T16:19:20.342255+010020344651Malware Command and Control Activity Detected192.168.2.649985193.188.22.40443TCP
                2024-12-11T16:19:21.429638+010020344651Malware Command and Control Activity Detected192.168.2.649988193.188.22.41443TCP
                2024-12-11T16:19:22.638957+010020344651Malware Command and Control Activity Detected192.168.2.64999289.116.191.177443TCP
                2024-12-11T16:19:23.715965+010020344651Malware Command and Control Activity Detected192.168.2.649995213.210.13.4443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Yara detected DanaBot stealer dll
                Source: Yara matchFile source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: AudioReaderXL.exe PID: 884, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_0ff52850-8
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License-Russian.txtJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License.txtJump to behavior
                Source: Binary string: C:\Projects\.Secondary\NotificationsDemo\Win64\Release\Notifications.pdb source: Notifications,1.dll.2.dr
                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: c:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.6:49985 -> 193.188.22.40:443
                Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.6:49988 -> 193.188.22.41:443
                Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.6:49992 -> 89.116.191.177:443
                Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.6:49995 -> 213.210.13.4:443
                Source: global trafficTCP traffic: 192.168.2.6:49887 -> 8.8.8.8:53
                Source: Joe Sandbox ViewASN Name: LRTC-ASLT LRTC-ASLT
                Source: Joe Sandbox ViewASN Name: EDGEtaGCIComGB EDGEtaGCIComGB
                Source: Joe Sandbox ViewASN Name: LIVECOMM-ASRespublikanskayastr3k6RU LIVECOMM-ASRespublikanskayastr3k6RU
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.40
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 193.188.22.41
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: unknownTCP traffic detected without corresponding DNS query: 89.116.191.177
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
                Source: Notifications,1.dll.2.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: Notifications,1.dll.2.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
                Source: Notifications,1.dll.2.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
                Source: Notifications,1.dll.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: Notifications,1.dll.2.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: Notifications,1.dll.2.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: http://docs.opengeospatial.org/as/18-005r5/18-005r5.html#34
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: http://docs.opengeospatial.org/as/18-005r5/18-005r5.html#34The
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
                Source: Notifications,1.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: Notifications,1.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                Source: Notifications,1.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
                Source: Notifications,1.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
                Source: Notifications,1.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                Source: Notifications,1.dll.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: http://opengis.net/def/crs
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: http://opengis.net/def/crshttps://opengis.net/def/crshttp://www.opengis.net/def/crshttps://www.openg
                Source: Notifications,1.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                Source: Notifications,1.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
                Source: Notifications,1.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: Notifications,1.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.DelphiFFmpeg.com
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.DelphiFFmpeg.comSV
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.google.de
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.com/products/audio-reader-xl/videos/create-mp3.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.com/products/audio-reader-xl/videos/project-management.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.com/products/audio-reader-xl/videos/read-aloud-text.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.com/products/audio-reader-xl/videos/select-voice.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.com/products/audio-reader-xl/videos/settings.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.com/products/m_en_audio-reader-xl.html
                Source: AudioReaderXL.exe, 00000003.00000002.3504321247.0000000002850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mediakg.com/products/m_en_audio-reader-xl.htmlR
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XL
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLS
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLU
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&produkt=Vorleser%20XL
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=1&produkt=Audio%20Reader%20XL
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/ebooktomp3/videos/einstellungen.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/ebooktomp3/videos/mp3.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/ebooktomp3/videos/projekt.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/ebooktomp3/videos/stimme.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/ebooktomp3/videos/stimme.htmlU
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/ebooktomp3/videos/vorlesen.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/products/m_ge_text-vorlesen-lassen.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/register/ebooktomp3_german.html
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mediakg.de/register/order1.php?l=1&prog=ebook&lsv=false
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: http://www.opengis.net/def/crs
                Source: AudioReaderXL.exe, 00000003.00000002.3527253406.0000000063469000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2979002736.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2980668020.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3548280979.000000006E66F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
                Source: AudioReaderXL.exe, 00000003.00000003.2977578868.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3527253406.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                Source: AudioReaderXL.exe, 00000003.00000003.2977578868.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3527253406.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: https://cdn.proj.org/
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/blog/files-inspector-activation.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/blog/how-to-uninstall-files-inspector.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/contact.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/downloads.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2328207725.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/key-exchange.php?OldKey=%s&App=%s
                Source: AudioReaderXL.exe, 00000003.00000003.2328207725.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/key-recover.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/license.htm?doc=privacy
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/license.htm?doc=terms
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/like.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/previous-versions.htm
                Source: AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drString found in binary or memory: https://chemtable.ru/ru/files-inspector.htm
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                Source: AudioReaderXL.exe, 00000003.00000002.3510306998.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3500175085.000000000072D000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3507530427.0000000003A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: AudioReaderXL.exe, 00000003.00000002.3507530427.0000000003A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: AudioReaderXL.exe, 00000003.00000002.3507530427.0000000003A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10330
                Source: AudioReaderXL.exe, 00000003.00000002.3500175085.000000000075F000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3500175085.00000000006CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: https://opengis.net/def/crs
                Source: jdefend.dll.2.drString found in binary or memory: https://proj.org/resource_files.html
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: https://proj.org/schemas/v0.7/projjson.schema.json
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: https://proj.org/schemas/v0.7/projjson.schema.jsonmm0.001millimetrecm0.01centimetre1.0meter0.3048foo
                Source: AudioReaderXL.exe, 00000003.00000002.3548061316.000000006E542000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://secure.r-tt.com/UserConsole.shtml
                Source: AudioReaderXL.exe, 00000003.00000002.3548061316.000000006E542000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://secure.r-tt.com/cgi-bin/Store?id=513https://secure.r-tt.com/cgi-bin/Store?ID=513https://www.
                Source: Russian.sib.2.drString found in binary or memory: https://theroadtodelphi.com
                Source: Russian.sib.2.drString found in binary or memory: https://www.flaticon.com/authors/pavel-kozlov
                Source: Russian.sib.2.drString found in binary or memory: https://www.flaticon.com/free-icon/right-arrow_566025
                Source: Notifications,1.dll.2.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/search?q=%22sapi
                Source: AudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.de/search?q=%22sapi
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drString found in binary or memory: https://www.opengis.net/def/crs
                Source: AudioReaderXL.exe, 00000003.00000002.3547012590.000000006D269000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.rebex.net/H
                Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
                Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
                Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
                Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
                Source: Yara matchFile source: Process Memory Space: AudioReaderXL.exe PID: 884, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected DanaBot stealer dll
                Source: Yara matchFile source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: AudioReaderXL.exe PID: 884, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                PE file has a writeable .text section
                Source: RwcProxy.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\47502a.msiJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI553B.tmpJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\47502c.msiJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\47502c.msiJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\47502c.msiJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8A8CB03_2_6C8A8CB0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8A6CC03_2_6C8A6CC0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C88CCD03_2_6C88CCD0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C89ACD03_2_6C89ACD0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8A5C003_2_6C8A5C00
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8D1C203_2_6C8D1C20
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8A9C303_2_6C8A9C30
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8AED803_2_6C8AED80
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8B9DA03_2_6C8B9DA0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8DDDA03_2_6C8DDDA0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C89EDE03_2_6C89EDE0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8B4D303_2_6C8B4D30
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8B7E803_2_6C8B7E80
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8A4EB03_2_6C8A4EB0
                Source: VclStylesinno.dll.2.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                Source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: .VbPx
                Source: classification engineClassification label: mal84.troj.spyw.evad.winMSI@4/53@0/5
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_00B440E8 CoCreateInstance,CoCreateInstance,3_2_00B440E8
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML5589.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeMutant created: \Sessions\1\BaseNamedObjects\vorleserxl
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeMutant created: \Sessions\1\BaseNamedObjects\62085327
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF3C732E24B520FB0D.TMPJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drBinary or memory string: CREATE TABLE properties( url TEXT PRIMARY KEY NOT NULL, lastChecked TIMESTAMP NOT NULL, fileSize INTEGER NOT NULL, lastModified TEXT, etag TEXT);CREATE TABLE downloaded_file_properties( url TEXT PRIMARY KEY NOT NULL, lastChecked TIMESTAMP NOT NULL, fileSize INTEGER NOT NULL, lastModified TEXT, etag TEXT);CREATE TABLE chunk_data( id INTEGER PRIMARY KEY AUTOINCREMENT CHECK (id > 0), data BLOB NOT NULL);CREATE TABLE chunks( id INTEGER PRIMARY KEY AUTOINCREMENT CHECK (id > 0), url TEXT NOT NULL, offset INTEGER NOT NULL, data_id INTEGER NOT NULL, data_size INTEGER NOT NULL, CONSTRAINT fk_chunks_url FOREIGN KEY (url) REFERENCES properties(url), CONSTRAINT fk_chunks_data FOREIGN KEY (data_id) REFERENCES chunk_data(id));CREATE INDEX idx_chunks ON chunks(url, offset);CREATE TABLE linked_chunks( id INTEGER PRIMARY KEY AUTOINCREMENT CHECK (id > 0), chunk_id INTEGER NOT NULL, prev INTEGER, next INTEGER, CONSTRAINT fk_links_chunkid FOREIGN KEY (chunk_id) REFERENCES chunks(id), CONSTRAINT fk_links_prev FOREIGN KEY (prev) REFERENCES linked_chunks(id), CONSTRAINT fk_links_next FOREIGN KEY (next) REFERENCES linked_chunks(id));CREATE INDEX idx_linked_chunks_chunk_id ON linked_chunks(chunk_id);CREATE TABLE linked_chunks_head_tail( head INTEGER, tail INTEGER, CONSTRAINT lht_head FOREIGN KEY (head) REFERENCES linked_chunks(id), CONSTRAINT lht_tail FOREIGN KEY (tail) REFERENCES linked_chunks(id));INSERT INTO linked_chunks_head_tail VALUES (NULL, NULL);
                Source: AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: AudioReaderXL.exe, 00000003.00000003.3017821149.0000000009229000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510306998.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.3021384227.0000000009228000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: cloudflare.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
                Source: AudioReaderXL.exeString found in binary or memory: %%QuickPDFLibrary-Start
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\cloudflare.msi"
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe "C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe"
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe "C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe"Jump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: olepro32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: sapidll.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: pdftext.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: jdefend.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: abcpdf.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: rwcproxy.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: avifil32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: cryptui.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: mmdevapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: audioses.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: logoncli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: cloudflare.msiStatic file information: File size 14462976 > 1048576
                Source: Binary string: C:\Projects\.Secondary\NotificationsDemo\Win64\Release\Notifications.pdb source: Notifications,1.dll.2.dr
                Source: PDFtext.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1446fe
                Source: RwcProxy.dll.2.drStatic PE information: real checksum: 0x5b597 should be: 0x63597
                Source: VclStylesinno.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x301b55
                Source: SAPIDLL.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x6f5d8
                Source: ABCpdf.dll.2.drStatic PE information: real checksum: 0x0 should be: 0xb2a6e
                Source: CloseApplication.dll.2.drStatic PE information: section name: .didata
                Source: VclStylesinno.dll.2.drStatic PE information: section name: .didata
                Source: gdiplus.dll.2.drStatic PE information: section name: Shared
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_00B41954 push 00B419E1h; ret 3_2_00B419D9
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_00B0E0A0 push 00B0E0D8h; ret 3_2_00B0E0D0
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_00B1C0C4 push 00B1C139h; ret 3_2_00B1C131
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_00B0E1F0 push 00B0E21Ch; ret 3_2_00B0E214
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,1.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,2.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,1.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\PDFtext.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\VclStylesinno.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CloseApplication.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\RwcProxy.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\gdiplus.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\SAPIDLL.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,2.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\jdefend.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\ABCpdf.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License-Russian.txtJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License.txtJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Advanced Chart ManagerJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Advanced Chart ManagerJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                May use the Tor software to hide its network traffic
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWindow / User API: threadDelayed 1443Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWindow / User API: threadDelayed 741Jump to behavior
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,1.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,2.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,1.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\VclStylesinno.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CloseApplication.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\gdiplus.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe TID: 5036Thread sleep time: -72150s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe TID: 3004Thread sleep time: -75075s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe TID: 1476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe TID: 3248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeThread delayed: delay time: 75075Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: AudioReaderXL.exe, 00000003.00000002.3500175085.0000000000766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD9}
                Source: cloudflare.msiBinary or memory string: *VMci
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeAPI call chain: ExitProcess graph end nodegraph_3-6579
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeAPI call chain: ExitProcess graph end nodegraph_3-7081
                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8BBC68 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C8BBC68
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe "C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8BBC68 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C8BBC68
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
                Source: AudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_00AF5858
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: GetLocaleInfoA,3_2_00AF61BC
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_6C8BBDE3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_6C8BBDE3
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeCode function: 3_2_00B41954 GetVersion,3_2_00B41954
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected DanaBot stealer dll
                Source: Yara matchFile source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: AudioReaderXL.exe PID: 884, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
                Source: C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: Yara matchFile source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: AudioReaderXL.exe PID: 884, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected DanaBot stealer dll
                Source: Yara matchFile source: 3.2.AudioReaderXL.exe.88f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: AudioReaderXL.exe PID: 884, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Replication Through Removable Media                		11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		2
                Process Injection                		1
                Obfuscated Files or Information                		LSASS Memory11
                Peripheral Device Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Multi-hop Proxy                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                File Deletion                		NTDS65
                System Information Discovery                		Distributed Component Object ModelInput Capture1
                Proxy                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Masquerading                		LSA Secrets121
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts131
                Virtualization/Sandbox Evasion                		Cached Domain Credentials2
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Process Injection                		DCSync131
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                cloudflare.msi8%ReversingLabs

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\ABCpdf.dll3%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CloseApplication.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,1.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,2.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\PDFtext.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\RwcProxy.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\SAPIDLL.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\VclStylesinno.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,1.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,2.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\gdiplus.dll2%ReversingLabs
                C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\jdefend.dll5%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.opengis.net/def/crs0%Avira URL Cloudsafe
                http://www.mediakg.de/products/ebooktomp3/videos/mp3.html0%Avira URL Cloudsafe
                http://www.mediakg.com/products/audio-reader-xl/videos/select-voice.html0%Avira URL Cloudsafe
                http://www.mediakg.com/products/m_en_audio-reader-xl.html0%Avira URL Cloudsafe
                http://www.mediakg.de/products/ebooktomp3/videos/einstellungen.html0%Avira URL Cloudsafe
                https://secure.r-tt.com/UserConsole.shtml0%Avira URL Cloudsafe
                https://chemtable.ru/previous-versions.htm0%Avira URL Cloudsafe
                https://chemtable.ru/license.htm?doc=terms0%Avira URL Cloudsafe
                http://www.mediakg.de/products/ebooktomp3/videos/vorlesen.html0%Avira URL Cloudsafe
                https://proj.org/schemas/v0.7/projjson.schema.jsonmm0.001millimetrecm0.01centimetre1.0meter0.3048foo0%Avira URL Cloudsafe
                http://www.mediakg.com/products/m_en_audio-reader-xl.htmlR0%Avira URL Cloudsafe
                http://www.mediakg.com/products/audio-reader-xl/videos/project-management.html0%Avira URL Cloudsafe
                https://chemtable.ru/key-exchange.php?OldKey=%s&App=%s0%Avira URL Cloudsafe
                https://secure.r-tt.com/cgi-bin/Store?id=513https://secure.r-tt.com/cgi-bin/Store?ID=513https://www.0%Avira URL Cloudsafe
                https://theroadtodelphi.com0%Avira URL Cloudsafe
                https://chemtable.ru/downloads.htm0%Avira URL Cloudsafe
                http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XL0%Avira URL Cloudsafe
                http://www.DelphiFFmpeg.comSV0%Avira URL Cloudsafe
                https://proj.org/schemas/v0.7/projjson.schema.json0%Avira URL Cloudsafe
                https://chemtable.ru/ru/files-inspector.htm0%Avira URL Cloudsafe
                https://www.rebex.net/H0%Avira URL Cloudsafe
                https://cdn.proj.org/0%Avira URL Cloudsafe
                https://proj.org/resource_files.html0%Avira URL Cloudsafe
                http://opengis.net/def/crs0%Avira URL Cloudsafe
                http://www.opengis.net/def/crs0%Avira URL Cloudsafe
                http://www.mediakg.de/products/ebooktomp3/videos/projekt.html0%Avira URL Cloudsafe
                http://docs.opengeospatial.org/as/18-005r5/18-005r5.html#340%Avira URL Cloudsafe
                https://opengis.net/def/crs0%Avira URL Cloudsafe
                http://docs.opengeospatial.org/as/18-005r5/18-005r5.html#34The0%Avira URL Cloudsafe
                http://www.DelphiFFmpeg.com0%Avira URL Cloudsafe
                https://chemtable.ru/license.htm?doc=privacy0%Avira URL Cloudsafe
                http://www.mediakg.de/products/m_ge_text-vorlesen-lassen.html0%Avira URL Cloudsafe
                https://chemtable.ru/like.htm0%Avira URL Cloudsafe
                http://opengis.net/def/crshttps://opengis.net/def/crshttp://www.opengis.net/def/crshttps://www.openg0%Avira URL Cloudsafe
                http://www.mediakg.com/products/audio-reader-xl/videos/create-mp3.html0%Avira URL Cloudsafe
                http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&produkt=Vorleser%20XL0%Avira URL Cloudsafe
                https://chemtable.ru/blog/how-to-uninstall-files-inspector.htm0%Avira URL Cloudsafe
                http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=1&produkt=Audio%20Reader%20XL0%Avira URL Cloudsafe
                https://chemtable.ru/key-recover.htm0%Avira URL Cloudsafe
                http://www.mediakg.com/products/audio-reader-xl/videos/read-aloud-text.html0%Avira URL Cloudsafe
                http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLS0%Avira URL Cloudsafe
                http://www.mediakg.de/register/order1.php?l=1&prog=ebook&lsv=false0%Avira URL Cloudsafe
                https://chemtable.ru/blog/files-inspector-activation.htm0%Avira URL Cloudsafe
                http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLU0%Avira URL Cloudsafe
                http://www.mediakg.de/products/ebooktomp3/videos/stimme.htmlU0%Avira URL Cloudsafe
                http://www.mediakg.de/products/ebooktomp3/videos/stimme.html0%Avira URL Cloudsafe
                https://chemtable.ru/contact.htm0%Avira URL Cloudsafe
                http://www.mediakg.de/register/ebooktomp3_german.html0%Avira URL Cloudsafe
                http://www.mediakg.com/products/audio-reader-xl/videos/settings.html0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://html4/loose.dtdAudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://chemtable.ru/license.htm?doc=termsAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mediakg.de/products/ebooktomp3/videos/mp3.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.flaticon.com/authors/pavel-kozlovRussian.sib.2.drfalse
                      		high
                      http://www.openssl.org/VAudioReaderXL.exe, 00000003.00000002.3527253406.0000000063469000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2979002736.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2980668020.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3548280979.000000006E66F000.00000040.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://secure.r-tt.com/UserConsole.shtmlAudioReaderXL.exe, 00000003.00000002.3548061316.000000006E542000.00000002.00000001.01000000.00000008.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mediakg.com/products/audio-reader-xl/videos/select-voice.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mediakg.com/products/m_en_audio-reader-xl.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mediakg.de/products/ebooktomp3/videos/vorlesen.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://proj.org/schemas/v0.7/projjson.schema.jsonmm0.001millimetrecm0.01centimetre1.0meter0.3048fooAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/search?q=%22sapiAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://www.opengis.net/def/crsAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://.cssAudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.de/search?q=%22sapiAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://www.mediakg.de/products/ebooktomp3/videos/einstellungen.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.openssl.org/support/faq.htmlAudioReaderXL.exe, 00000003.00000003.2977578868.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3527253406.0000000063281000.00000040.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://chemtable.ru/previous-versions.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mediakg.com/products/audio-reader-xl/videos/project-management.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://curl.se/docs/hsts.htmlAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpfalse
                                  		high
                                  http://www.google.deAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                    		high
                                    http://www.mediakg.com/products/m_en_audio-reader-xl.htmlRAudioReaderXL.exe, 00000003.00000002.3504321247.0000000002850000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.DelphiFFmpeg.comSVAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://secure.r-tt.com/cgi-bin/Store?id=513https://secure.r-tt.com/cgi-bin/Store?ID=513https://www.AudioReaderXL.exe, 00000003.00000002.3548061316.000000006E542000.00000002.00000001.01000000.00000008.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://chemtable.ru/downloads.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://chemtable.ru/key-exchange.php?OldKey=%s&App=%sAudioReaderXL.exe, 00000003.00000003.2328207725.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://proj.org/schemas/v0.7/projjson.schema.jsonAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://chemtable.ru/ru/files-inspector.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://.jpgAudioReaderXL.exe, 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://theroadtodelphi.comRussian.sib.2.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://proj.org/resource_files.htmljdefend.dll.2.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.rebex.net/HAudioReaderXL.exe, 00000003.00000002.3547012590.000000006D269000.00000002.00000001.01000000.00000006.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://opengis.net/def/crsAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.opengeospatial.org/as/18-005r5/18-005r5.html#34TheAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.mediakg.de/products/ebooktomp3/videos/projekt.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdn.proj.org/AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://curl.se/docs/http-cookies.htmlAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpfalse
                                        		high
                                        https://opengis.net/def/crsAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://docs.opengeospatial.org/as/18-005r5/18-005r5.html#34AudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.opengis.net/def/crsAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.flaticon.com/free-icon/right-arrow_566025Russian.sib.2.drfalse
                                          		high
                                          http://www.DelphiFFmpeg.comAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&produkt=Vorleser%20XLAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://chemtable.ru/license.htm?doc=privacyAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://curl.se/docs/alt-svc.htmlAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D11A000.00000002.00000001.01000000.00000006.sdmpfalse
                                            		high
                                            http://opengis.net/def/crshttps://opengis.net/def/crshttp://www.opengis.net/def/crshttps://www.opengAudioReaderXL.exe, 00000003.00000002.3543383906.000000006D048000.00000002.00000001.01000000.00000006.sdmp, jdefend.dll.2.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mediakg.com/products/audio-reader-xl/videos/create-mp3.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mediakg.de/products/m_ge_text-vorlesen-lassen.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://chemtable.ru/like.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=1&produkt=Audio%20Reader%20XLAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.openssl.org/support/faq.htmlRANDAudioReaderXL.exe, 00000003.00000003.2977578868.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000002.3527253406.0000000063281000.00000040.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://chemtable.ru/blog/how-to-uninstall-files-inspector.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.com/products/audio-reader-xl/videos/read-aloud-text.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://chemtable.ru/key-recover.htmAudioReaderXL.exe, 00000003.00000003.2328207725.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, AudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLSAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.de/register/order1.php?l=1&prog=ebook&lsv=falseAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://chemtable.ru/blog/files-inspector-activation.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.de/products/ebooktomp3/videos/stimme.htmlUAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.de/products/ebooktomp3/videos/stimme.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.de/contact/m_ge_contact.php?gr=technik&l=0&cdrom=1&produkt=Vorleser%20XLUAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://chemtable.ru/contact.htmAudioReaderXL.exe, 00000003.00000003.2327793560.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Russian.sib.2.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.de/register/ebooktomp3_german.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mediakg.com/products/audio-reader-xl/videos/settings.htmlAudioReaderXL.exe, 00000003.00000000.2275487417.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              8.8.8.8
                                              		unknownUnited States
                                              		15169GOOGLEUSfalse
                                              89.116.191.177
                                              		unknownLithuania
                                              		15419LRTC-ASLTtrue
                                              213.210.13.4
                                              		unknownUnited Kingdom
                                              		8851EDGEtaGCIComGBtrue
                                              193.188.22.40
                                              		unknownRussian Federation
                                              		49558LIVECOMM-ASRespublikanskayastr3k6RUtrue
                                              193.188.22.41
                                              		unknownRussian Federation
                                              		49558LIVECOMM-ASRespublikanskayastr3k6RUtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1573183
                                              Start date and time:2024-12-11 16:16:16 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 46s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:12
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:cloudflare.msi
                                              Detection:MAL
                                              Classification:mal84.troj.spyw.evad.winMSI@4/53@0/5
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Found application associated with file extension: .msi

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 23.206.197.11, 20.109.210.53
                                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtOpenFile calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: cloudflare.msi

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:18:02API Interceptor1220x Sleep call for process: AudioReaderXL.exe modified
                                              16:19:25AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Advanced Chart Manager C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              89.116.191.177zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                213.210.13.4zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                  193.188.22.40zDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    s-part-0035.t-0009.t-msedge.netdiscord.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63
                                                    Document.xlaGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63
                                                    Message_2713712.emlGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63
                                                    FreebieNotes.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 13.107.246.63
                                                    xeroxscan.DocxGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63
                                                    xeroxscan.DocxGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63
                                                    xeroxscan.DocxGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63
                                                    https://www.officested.com/eur/14cb4ab4-62b8-45a2-a944-e225383ee1f9/bbd2fe64-a7e1-4036-87ed-fa296dec6eb4/3966c028-c5bc-45c3-932e-642ccbdd8bca/login?id=Zjc0eUxaVU1jVElZSFBZVWJoQXgrZGErVWw5TzBLNllUbTV2WGJKbjRIbk00VFJpTUxwZzJJWnZ2dnBXZjVyYldlWk9NOTQ4WGViVXUzUkI3TmFGdXhRQU9kWDdUUlFXRnlMaUdhZWVuVE9tdnc5bjFNaWs1M1ozTkRnUldwUHdHQ2gzNmRGTDZUM0pkbVExc2Vxa05lWExvQU5WZTFibEpLeXJwM0RIYWJKUjkrWlBZNU5DRUFuTzc0dEZVb2tyOUlxMkVRK0pHSEllMFZLZkJTSXorK2Nady9WcmlFRUJVRkFZRXFrRkhmQ3pPTktuS2djQkVyQ2krUWpEZGlBY2ZCUi9neElRTFVINExCdkNIeVc1bXROSlNLaW9YYUlkWGZ4aFVDSVlIME5VMjY5MUQwRzd1cXBsSEpsZWYyR0pWaUdVdi9wZ3pHckJoK3FCNDRxN3huQzhhVXY5WU5PcWpoRDdDU3FZUWtUWDg2amJyWjQ0ZHhhOGprZGZUU0czOWhHaEFjZnhCR0JRdGlzVUp5ZVJqSmtSOWtvRE90VWp2SWJMb1VUNWpvTT0Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.246.63
                                                    Purchase order docs..exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.63

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    LIVECOMM-ASRespublikanskayastr3k6RUzDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                    • 193.188.22.40
                                                    http://winningwriters.comGet hashmaliciousUnknownBrowse
                                                    • 193.188.22.73
                                                    f6ffg1sZS2.exeGet hashmaliciousBabuk, DjvuBrowse
                                                    • 92.246.89.93
                                                    cHZiG7fsJb.exeGet hashmaliciousMetasploitBrowse
                                                    • 212.192.213.56
                                                    tsnsd8pOvn.exeGet hashmaliciousBabuk, DjvuBrowse
                                                    • 92.246.89.93
                                                    C0XWmZAnYk.exeGet hashmaliciousBabuk, DjvuBrowse
                                                    • 92.246.89.93
                                                    A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                                    • 92.246.89.93
                                                    DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                                                    • 92.246.89.93
                                                    E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                                                    • 92.246.89.93
                                                    LRTC-ASLTzDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                    • 89.116.191.177
                                                    jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 89.117.100.57
                                                    ET5.exeGet hashmaliciousUnknownBrowse
                                                    • 89.117.55.228
                                                    b1.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                    • 89.117.79.31
                                                    b1.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                    • 89.117.79.31
                                                    mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 84.46.252.91
                                                    aeI0ukq9TD.exeGet hashmaliciousUnknownBrowse
                                                    • 89.117.72.231
                                                    0ylPF4c3eF.exeGet hashmaliciousUnknownBrowse
                                                    • 89.117.72.231
                                                    0ylPF4c3eF.exeGet hashmaliciousUnknownBrowse
                                                    • 89.117.72.231
                                                    aeI0ukq9TD.exeGet hashmaliciousUnknownBrowse
                                                    • 89.117.72.231
                                                    EDGEtaGCIComGBzDcNyG6Csn.exeGet hashmaliciousDanaBotBrowse
                                                    • 213.210.13.4
                                                    Support.Client (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 185.49.126.73
                                                    Support.Client (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 185.49.126.73
                                                    la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                    • 213.210.9.89
                                                    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                    • 77.107.70.202
                                                    fvIqrxcfuL.exeGet hashmaliciousQuasarBrowse
                                                    • 89.213.56.109
                                                    la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 89.213.146.12
                                                    arm7.elfGet hashmaliciousUnknownBrowse
                                                    • 77.107.120.22
                                                    JnC2t6WhUf.elfGet hashmaliciousMiraiBrowse
                                                    • 213.130.144.69
                                                    mhmdm9Hb6i.elfGet hashmaliciousMiraiBrowse
                                                    • 213.130.144.69

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Config.Msi\47502b.rbs

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):12995
                                                    Entropy (8bit):5.776122125171664
                                                    Encrypted:false
                                                    SSDEEP:192:Me8c4QDjYe0lIfIhIfKWIrJnETn0ayhcp4:MqsIaISDrJZay9
                                                    MD5:FE0441EF65C06C996CDBCF773E4CA697
                                                    SHA1:4DD4F34D3D50E45D67A575DDFEF12025038B4D3F
                                                    SHA-256:A86C96EE19F589EB48B6E0DB35E5E2EAD635F10B7DD4ADF9BFC82952D6A1FD6E
                                                    SHA-512:DDF92706C58CE3AAB5135371E315C19BD35C85F9FFE577DDC6BD6BFED51DACF88F8250E7A613570EC617DD1CF6E72FC06B3814CC76D30AA849C042F8E6B8F401
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...@IXOS.@.....@,R.Y.@.....@.....@.....@.....@.....@......&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}..Audio Reader XL Premium..cloudflare.msi.@.....@.....@.....@........&.{F42B81C2-97E3-4FE6-BB7D-FDC864EFC273}.....@.....@.....@.....@.......@.....@.....@.......@......Audio Reader XL Premium......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{69ACFB11-8974-7600-BE76-FB33A2985E33}&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}.@......&.{73617013-F5DE-07AB-793A-5A906368C1DE}&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}.@......&.{EB597F34-5CA9-86B7-A290-3FD80E69853C}&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}.@......&.{7C63DA7D-A151-8DE2-2017-642FB5D89B29}&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}.@......&.{5A8AEE58-FA25-376B-5210-F176A92468D2}&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}.@......&.{69D5A7EB-BC0A-D266-A8B3-317BF6CF77A5}&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}.@......&.{0D67F12E-BF10-693F-7E5A-F6371E5AC

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\ABCpdf.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):668160
                                                    Entropy (8bit):6.740452679312067
                                                    Encrypted:false
                                                    SSDEEP:12288:p2TYCjcIOrbbz7z7z9dkvF4KfcQnbHVoVTX23sgCxYPwtZ81+b+vUIqlzDG:MTYCj7OH9dPQnbHVeTXOsgCxYPwfhsU9
                                                    MD5:F35E190D9847AEE93157AD18BEE2FF51
                                                    SHA1:011DD903705AC60F39A74191B41B82C11C53ABE6
                                                    SHA-256:FAF2B98EF2934C7ADDF7056A3B6F2FA56C814DB79D960F8FB2744E4E4D260500
                                                    SHA-512:F4329B5BED3A840E1E630BE9A5A61903D2AAE31D6FAC068D6F750B98A0D2B65DE9B38DB1DDD6298C104704D48593996BC7DB8F6E6D77F1117BFC8E0431935738
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                    Reputation:low
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........m..>..>..>...?..>...?d..>...?..>.2.?..>.2.?..>.2.?..>..>..>D2.?~..>F2.?..>D2.?..>...?..>..>...>F2.?..>F2.?..>F2.>..>F2.?..>Rich..>........PE..L...e.Pg...........!...*.....Z..............................................p............@.........................@...P.......P....0.......................@...(......................................@...............`............................text...|........................... ..`.rdata..............................@..@.data...............................@....rsrc........0......................@..@.reloc...(...@...*..................@..B........................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2364872
                                                    Entropy (8bit):6.379046969425799
                                                    Encrypted:false
                                                    SSDEEP:24576:Wie/PVMysxcKuyHA1k7XTOS6waIrBmSNMddjftjQXcWrdr20cI1CtQEsdi7BAEws:WieFNZUMWBr20XMrsdiOi/dL
                                                    MD5:5D8A546C266CC1D2F14B3BE5C662C67A
                                                    SHA1:A474FE2BF3311A452BEE640DBB423B20E0A99929
                                                    SHA-256:8EAEFF4697CE489DAEE3D82E7C703409907BFB9FA890A3646B56634798E01BC4
                                                    SHA-512:CDD3C8C4A73CCF10D97097826E5B4567D0A3B227A9080E3FF7AD84EEC6276A11C94A47F545D2B6023ED6A3B4B377D2073E6584B2CE4492F1DE7789A7FA6C2CCA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Reputation:low
                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................P............... ....@...........................%.....Z.%..........@..............................|3.......B............#..+..........................................................................................CODE................................ ..`DATA.....`... ...b..................@...BSS..................r...................idata..|3.......4...r..............@....tls.....................................rdata..............................@..P.reloc..hu..........................@..P.rsrc....B.......B..................@..P..............%......`%.............@..P........................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CharcoalDarkSlate.vsf

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):60560
                                                    Entropy (8bit):7.942670786996824
                                                    Encrypted:false
                                                    SSDEEP:1536:brbl0jMTaIITC/tApjVrGPUUKhUBlE8q6bKPfYyBUgTZ3H1YMwZxwrpNZ:brbG5TS6p5rgUUfrE8qHVYMaqd
                                                    MD5:947023BA00312C4574A44688A11FD5EB
                                                    SHA1:164A4609C041D93CCB645AB8DF70E04FFB984508
                                                    SHA-256:AA45E23296396E41E3F1547EE8AA59989F2EE3E05651F27B842ECA366C87F047
                                                    SHA-512:A6AF49BA6E12B886BD30217A7AE5856881F553A4931ACDA2AE26E372FB79AFC09ECF0A6364011ADCDF2E2F93D76899A23570F00DB2DCE9D5C06A1A9C24B5C66D
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:VCL_STYLE 1.0x..........(.Q1."........l.....A *;......F\....o2....d....2.K2...7.qW4....i.v...9...<....=.TWU......:6....\....6si...0.23..~..o..>'.,3?s.9.s.c......3s...d....[f&...5.-2...^...lYj..7..5.c.W......:...:.,....,]6...[8...M.O..5...\f.9|.I...a.e2[.... .. .. .. .. .. .. .. ..Pfh.C.. .....:..C...A3>..mo.O}....p>.........M..:.w..C.9......:8.~r..v....>{..x...}6.]l..K..M.g.#.8.C.9..c.;.#....A..4.;.SN9..s..~.Yg...QG...i.G...3.<.E....-Nz....&..<....|....v<.9..9...\.../.G>./..?.<l.|q..]n.....Ole..|..gw9...4k..jx.[.E=.6?...L..H.{w.1.H]q...X{..?.8.|5o.....3O=..s..;..<.\.r.w.q..|..g..i.&<k..{>..?.f..[.t...1...;v.....@[.{.'.i...>...OoG......A....C..}?.....L.a..ywv..y.I'.4.;.9WZ.....o..i....Q.C....8..8?.. ?.O..'.%..rP..E......V.m.v.9.3..i6...7.'.r....c.N[.......].^.7lX>...F:.A..w.y..t.Ct..g........N.:..Ff.....3...../.a.#m..w..?.. ......&....;..Md.t.../9....s3...,..OD.K.yn..7.._.}.if_..?.t..<.3...3..k.y... ...l.y..5..a..m.5..i...{..Z..

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CloseApplication.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1077864
                                                    Entropy (8bit):6.658605493439835
                                                    Encrypted:false
                                                    SSDEEP:12288:23hLkUYjhGQdM7oMM+aHfjSjPexymAprswNEsr:0h3uGQdM/M+aH7SjPexDrwNfr
                                                    MD5:981EB6460FDE8A6456F55811AFDEF266
                                                    SHA1:1A745E900F0ECDFD8F158C610F25CD5C38CF1D89
                                                    SHA-256:F05248CAD953F87B0006633813DD4BF5A73B8012A2C777CD9746960BF4112DE0
                                                    SHA-512:DB9A1488F0A3B88B86A17AD65E37AA75648346CDFD2CFCC4F0C49ADEB59E7C8FB7EAF30C26E670DB49E4CCC6C34FEBB11C62FC2E80C1FE1D967F7A62B1D9E147
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Reputation:low
                                                    Preview:MZP.....................@......ujr......................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....!\...........#.....@...p...............P....@......................................................................................J...........N..h$...P...A..............................................................X....................text....@.......6.................. ..`.data....p...P...p...<..............@....tls................................@....idata..............................@..@.didata.............................@....edata..............................@..@

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Concept.dat

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):5773700
                                                    Entropy (8bit):7.999844991117473
                                                    Encrypted:true
                                                    SSDEEP:98304:6ZQF+FGaDvWpJDxvjReJGwufh41Gt+J2vuumYZnX0Ed4ghM8pFYLULa2:6yRfqSgJ2vhmYdEESg+DLk
                                                    MD5:4035390AF4171153C1CB708F7151ED5F
                                                    SHA1:9ED10AD504E6B19F6FD9570ED92A793BD2D79721
                                                    SHA-256:407048F9D01E5BF9051A043261A29C4654190444FE15E5F96F97C446AD7AE8D3
                                                    SHA-512:56C8942340B9D83C0C396AED680000E1A2C9A0F075CB8C96150D9341AEEF4A62245A373288CA0546C21605333DECA86DC2FD47812DE605BB3EAEB08B987E22C8
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..B.8..2.V. \.......................................1012546698.?=<>2! #kKWRTHFHO.HM-QPSSUTW.\X[[U\_^uvsvuupuMHKJLLON.usrt|wvyNIJEILLVecbeegfi.njmmon..........v.........................]........................_.......................................................................................700?>=>;.1033547.<8;;5<?>HNWGWJFJ'(+*,,/..USRT\WVYkbnlnnmrOCBEEGFI.NJMMGNqp........kz}|~~a`.ged`nihkVmlon...........n..................................................................z................T........................5.N.a.e.w.t.y.j.\.q.e.p.m......103.3474.8;:.<O>S L"B$U&H(F*I,N.%P2RpT.V,X(Z2\1^$@7B.D3F(H8J&LWNqpsrut.syx{z}|.ga`czedg.lhkkglon............................................&..............................................i..........................." }&mm}rljkolyz&xe4p............0.325.O.X....].Z....C..@.....ik.cc`ee5.c.hl..ih@A@CZEDG.LHKKoLON%<!..3!..5:=.&42..&Z.R.,0.^_...?.............................................................I.............

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Insurance.db

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):5773922
                                                    Entropy (8bit):7.999845070062444
                                                    Encrypted:true
                                                    SSDEEP:98304:dZQF+FGaDvWpJDxvjReJGwufh41Gt+J2vuumYZnX0Ed4ghM8pFYLULaJ:dyRfqSgJ2vhmYdEESg+DLT
                                                    MD5:FF01238C5058B0A88937E6B66CEC3DEE
                                                    SHA1:CBA788EED57AAF85926723EDC60EF44B93A21540
                                                    SHA-256:13CA4BAA28A4E4CA78E2173C492D759AF5334BF5A1C86961FC5FC5A5B8970593
                                                    SHA-512:5671EC102C7FE17F3BEFA8FF58EB9E82DF21283F025C759C926143B8FF74235A8B2D18742F0B618727CC104583D203900D3AE77AE6497E581A040474A83F6A13
                                                    Malicious:false
                                                    Preview:".......8...r...z..X................................1012546698.?=<>2! #kKWRTHFHO.HM-QPSSUTW.\X[[U\_^uvsvuupuMHKJLLON.usrt|wvyNIJEILLVecbeegfi.njmmon..........v.........................]........................_.......................................................................................700?>=>;.1033547.<8;;5<?>HNWGWJFJ'(+*,,/..USRT\WVYkbnlnnmrOCBEEGFI.NJMMGNqp........kz}|~~a`.ged`nihkVmlon...........n..................................................................z................T........................5.N.a.e.w.t.y.j.\.q.e.p.m......103.3474.8;:.<O>S L"B$U&H(F*I,N.%P2RpT.V,X(Z2\1^$@7B.D3F(H8J&LWNqpsrut.syx{z}|.ga`czedg.lhkkglon............................................&..............................................i..........................." }&mm}rljkolyz&xe4p............0.325.O.X....].Z....C..@.....ik.cc`ee5.c.hl..ih@A@CZEDG.LHKKoLON%<!..3!..5:=.&42..&Z.R.,0.^_...?.............................................................I.............

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Languages\Russian.sib

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):128859
                                                    Entropy (8bit):4.943003285603881
                                                    Encrypted:false
                                                    SSDEEP:3072:3JhvdFo00y4f24h3eqwO2tVj7AVeWmOgXls/o68MU3O7Ik4JTMIs0FiThxajjQXR:3NFo0yf24hOqwOqVjXPXs/o6c3O7bzIs
                                                    MD5:4D7D38CA87590E1C4787D834312485FB
                                                    SHA1:7114A6219F62149071E289FF171CB3A78DD43DD7
                                                    SHA-256:BA8827D76C9682A3FBB548C1C392BD058C1CFDA1FD8654C715ABFBDAD750E9A0
                                                    SHA-512:28680AC747344F770D6A724C27F3B5F073C5A0D159FFA620900042EF25433E46F45D3A4C803175A92051F1F10B67F32ED2C41DEB5B610F65E37BB41C701B2CD5
                                                    Malicious:false
                                                    Preview:SIB file: TsiLang binary translation data.*.....TAboutForm>.....TApplicationsDeletedForml.....TApplicationsDidYouKnowTipsData....!.TApplicationsExternalDeleteModule.'....TApplicationsFrame"-....TApplicationsLogCreateForm.Q....TApplicationsLogNotationsForm.h....TApplicationsLogViewForm.p....TApplicationsRemovalToolsForm.... .TApplicationsRevertLogResultForm2.....TApplicationsUninstallForm......TBackgroundTasksModule......TCommonTextStringsDataModule......TDidYouKnowCenterForm.....TDidYouKnowCenterTipsData......TFilesAnalyzerGearModuleY...".TFilesInspectorDecreasePreviewForm......TFilesInspectorFinalDeleteFormM.....TFilesInspectorFrame....$.TFindAppUninstallKeyByFileDataModulec.....TForm30.!....TInterfaceHintsDataModule.%....TLicenseKeysDataModule.*....TLicensingKeyEnteringForm......TLicensingNagScreenFormD;....TLicensingOldKeysForm.C..!.TLicensingSubscriptionExpiredFormoQ..".TLicensingSubscriptionReminderForm.[....TMainForm.b....TMultiLanguageSupportFormLp....TNonModaInformersDataModul

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License-Russian.txt

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Non-ISO extended-ASCII text, with very long lines (754), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4244
                                                    Entropy (8bit):5.198711732329662
                                                    Encrypted:false
                                                    SSDEEP:96:ovTn1OPTlcUb+PsDJkb53evIhiy79L3NxLagU0tbTTE6:oxwYaIhF79L3DGp0tfTF
                                                    MD5:3D44E666CE041981DBF7529916D4C92A
                                                    SHA1:0D51862AE922CEBAA9638D542D6B4684E195A1A8
                                                    SHA-256:62EDAD9E609781D9CC130B3DCB9AC27C7342F79F97BE295390C517251E98877B
                                                    SHA-512:665E016A6956588CE761ACA0E11D9429164E05E471B8F9C7510B297DDF136B209EC112C6043AF5407F3EFFDDE3E09AC4BAA47548209C5C09F156E483D447016B
                                                    Malicious:false
                                                    Preview:.........., ........ ........... ............. ............ ....................... ............ .......... (.......) ........ ............ (......... .......) . ........ ....... . ... ............ ....... ............. .... (..... . ............ ... .........) ......... ... ... Files Inspector (..... .........). ..... ............ . ......... ........... ... "........... ....... 365" (..... . ............... ... .........) . .......... ................ ............. .... .. ......... ... ... Files Inspector, ....... ........... ............ . ... . ........ ./... ........... ...., ......... ............ ............ (........ .... ..... ....... ...) ................ ..... .. ............. ........., ............ ...... ........... . ....... ......... . ............ . .............. ......... ........... (.........) ......... . ......... (....... ................ ........).............. ....... ...... (............. ..........)............. ...... (............ ........../.......) ...

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License.txt

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:ASCII text, with very long lines (588), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):3227
                                                    Entropy (8bit):4.572788431582577
                                                    Encrypted:false
                                                    SSDEEP:96:VIH8x2eRbTuhCal3ZHUT8zbEJnUE6njHpakfW1n/:kCfRbTk/ZHQUGH
                                                    MD5:8C3D5DF72E234543B6619A38EA4C9915
                                                    SHA1:42247B1B09814B174742D85A87E842AF096426C9
                                                    SHA-256:3A5DDB81221D346B0A4F9DCBDCEFA7D63F38D4570D0C9B0627A7698094BA4356
                                                    SHA-512:9F52D48261909BB151449DAC60EB5D74128FAB03E89C2E50EE9A872D263E0F4D27203FC898E4BA1E39510672DE6CA0CAEA0329640C78B639DA58DEFB1F18C225
                                                    Malicious:false
                                                    Preview:PLEASE READ THE FOLLOWING LICENSE AGREEMENT CAREFULLY.....This License Agreement is a legal agreement between you (either an individual or a single entity) and Software Solutions 365 LLC for software products identified above, which may include associated software components, media, printed materials, and "online" or electronic documentation ("Software"). By installing, copying, or otherwise using the Software, you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this Agreement, do not install or use the Software.....1. Files Inspector....This program is free for personal and educational (including non-profit organization) use. In these cases, you are granted the right to use and to make an unlimited number of copies of this software.....This Software and any support from Software Solutions 365 LLC are provided "AS IS" and without warranty, express or implied. Software Solutions 365 LLC specifically disclaim any implied warranties of merchantability

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,1.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):181416
                                                    Entropy (8bit):6.072186773489314
                                                    Encrypted:false
                                                    SSDEEP:3072:jWXWWW055R79HkNoTkV7Az5qJsGrfM1HZwiKIcvrJVjT:jdwTENV0zHyl9x
                                                    MD5:6FA8B90E42549E4FD2334D8EE1C58784
                                                    SHA1:77850CEB975CFD1C1B4CD815129564982A92875C
                                                    SHA-256:5E17FAF323F85570317C5C338999697C883BFEE6990A6EECC62F14347D03F38E
                                                    SHA-512:89603D9D1393CC98189EB77F8DE88BDB55818CB5C932CA907772EDD0999B635DC23CE491418CF5C62A0DE68E5DFF316E44D8EE9E77825C22FEACCEFFDE495BCA
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6...e...e...e...d...e...dA..e...d...e...d...e...d...e...d...e.oe...e...d...e...e@..ea..d...ea..d...ea..e...ea..d...eRich...e................PE..d...G.Pd.........." .....N...R...........................................................`..........................................C..`...0D..................<........2..............p.......................(....................`...............................text....M.......N.................. ..`.rdata..V....`.......R..............@..@.data....7...`...&...F..............@....pdata..<............l..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\Notifications,2.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):149160
                                                    Entropy (8bit):6.5780964327075395
                                                    Encrypted:false
                                                    SSDEEP:1536:VkLcRLzu+NvI1sUUQTtnZg66ytrAqXu+eo4bJv21sW/cd2esC9AolG5lV17AQF+3:KcRu+NVNQHg66yOqXuxeW2eAolZ8h7jE
                                                    MD5:2076CBC974BB0BEB29D167C2B068EFB9
                                                    SHA1:01CEEB0F9585B5ADC221EA6913A78CC8B930FE9D
                                                    SHA-256:FA8D25A439C64F6916FBFA72A643FD2BE33D62BD196749D5D1E3E11655FE9508
                                                    SHA-512:88B67CB38833CFB05747C8EA41F67F7C3EC74EE6DF6D1A9DD038C1FEA973919F6B561ED21C83AAFD419373970B23F8CA804AC58F65DE8F1952F215A8A0B19B43
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$.a.w.a.w.a.w...v.a.w...vga.w...v.a.w...v.a.w...v.a.w...v.a.w..3w.a.w...v.a.w.a.w.a.wJ..v.a.wJ..v.a.wJ._w.a.wJ..v.a.wRich.a.w........PE..L....Pd...........!.....<...................P...............................P...... .....@.................................<........ ...................2...0..4.......p................... ...........@............P...............................text....;.......<.................. ..`.rdata.......P.......@..............@..@.data...p*....... ..................@....rsrc........ ......................@..@.reloc..4....0... ..................@..B................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\PDFtext.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1299968
                                                    Entropy (8bit):6.762310886008993
                                                    Encrypted:false
                                                    SSDEEP:24576:MmZhH1PZylAs19Y6BXln3EpRbrsjdb64dXtSaonb5JTsTkRHh+8:MsEYalr64dXtV4bITqH
                                                    MD5:F5DD27918CDC45136567CEB8B216C5B8
                                                    SHA1:D7DA1E100292AB7D6908516A60A555BE77B6D01E
                                                    SHA-256:8A4C862FFDF0E858AE721BCE97E2A5951C4D8DD665856459C41378141F5F2772
                                                    SHA-512:C1D2240DC168DF8CAD9355F5266093BABF0EAF257F40206A18F3364D0D3F2B1D03042241CEF8134DF06AA11CFB386F231EA48FA433801ACE68282BBE32D904BF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...L.N.................X...z.......j.......p....@..........................p..........................................c....P.../...`...............................................................................X..\............................text....J.......L.................. ..`.itext.......`.......P.............. ..`.data....z...p...|...\..............@....bss....|V...............................idata.../...P...0..................@....edata..c...........................@..@.reloc..............................@..B.rsrc........`......................@..@.............p......................@..@........................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\RwcProxy.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):344216
                                                    Entropy (8bit):6.595173572062912
                                                    Encrypted:false
                                                    SSDEEP:6144:VT1JVXKs/zrLHInEkVFpCcE0rw24GpY3ctV0eIYYXAEcOdlsyL:TJVXf8HVFQ0k24GUbeQcOdlR
                                                    MD5:741FD2623AD12DE3403F39EF575181E3
                                                    SHA1:54F3FA29A9565278109BA6A4049F403970110C49
                                                    SHA-256:1612B2DB97AA51736DE92BE6FC50C502394169ED4DC3E9BFDE06F331DD08790A
                                                    SHA-512:045171C2F8B65A0CE41AC86680DBC2683C1561ED008A4F33C34874CDDEFB8F5B15AA7F402DC98386E7B37428FC7EA86325C19C2E3B1B91BC401FC1659F6B8705
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x..4<k.g<k.g<k.gw..f6k.gw..f.k.g(.f7k.gw..f=k.g..f*k.g..f.k.g..f.k.gw..f*k.gw..f=k.gw..f%k.g<k.g>j.g(.f.k.g(.f=k.g(.Jg=k.g<k"g=k.g(.f=k.gRich<k.g........PE..L...O.f...........!...(............zC....... ............................................@.............................d...T...........X................(......\0..p...................................@............ ...............................text............................... ....rdata....... ......................@..@.data...`...........................@....rsrc...X...........................@..@.reloc..\0.......2..................@..B........................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\SAPIDLL.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):413184
                                                    Entropy (8bit):6.581871839232087
                                                    Encrypted:false
                                                    SSDEEP:6144:2auf0pjxP5h2ki1XSeuB3TaIM452S8Y0LS1mgRzj8Zt5ZSlG9+uzgHzUKl:qfIjxPvUXSeEs883Lz8jA/ZS5uzgZ
                                                    MD5:7D96EBF6AB548AC4E9F6EE761454DE9F
                                                    SHA1:CC121DB7480602A3E3A10CFC453F2604258805D2
                                                    SHA-256:39C4355690759ADE7E5A645603C46C48FF83B0D47163FBF7FFE9EAA92DFAECAF
                                                    SHA-512:B2BF462D11217C764A5071B2E84B18CFDBA778B48705AFBDE6E38F68DFF80F8FE9A8F3C0F27CC731EFA114E2DDD3A67219D79B289934C328D3820A2FE017A0DF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................R...........a.......p....@.............................................................................l!...@...^......................L_..................................................................................CODE.... Q.......R.................. ..`DATA.........p.......V..............@...BSS.....a............j...................idata..l!......."...j..............@....edata..............................@..P.reloc..L_.......`..................@..P.rsrc....^...@...^..................@..P.....................N..............@..P................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\ThemedTypesIgnore.xml.bkp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):322
                                                    Entropy (8bit):4.923375810926379
                                                    Encrypted:false
                                                    SSDEEP:6:TMV0RmmAsQCMDmATDUCMDmA0ibCMDmA0iNIMDmA4cbCMDmAxMDmAKHIMo0:TMGRmmTFMDm8MDmFFMDmF2IMDm/MDmut
                                                    MD5:DF00C215260AAA2D2B571005D38DEE66
                                                    SHA1:A32C80F9023A9EFB2D23A0C9D2B67824F5DFE85C
                                                    SHA-256:72D8C1C2D41160E27830AF8C48D49C8BB36CBCB03C4DCD0ECADA3E43BCEA31D8
                                                    SHA-512:B15911C9A908758006200D31BC359611F3E6EB197CF98B61307680FEE1BCAD011BEB5D09B6E7FE4E14B31E00715950B1BA43E5AB26E43207F36C856E3B61CDDC
                                                    Malicious:false
                                                    Preview:<?xml version="1.0"?>..<Root>.. <Item>%FOLDERID_ProgramData%</Item>.. <Item>%FOLDERID_Windows%</Item>.. <Item>%FOLDERID_LocalAppData%</Item>.. <Item>%FOLDERID_LocalAppDataLow%</Item>.. <Item>%FOLDERID_RoamingAppData%</Item>.. <Item>%FOLDERID_ProgramFiles%</Item>.. <Item>%FOLDERID_ProgramFilesX86%</Item>..</Root>..

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\VclStylesinno.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):3129856
                                                    Entropy (8bit):6.692920115202363
                                                    Encrypted:false
                                                    SSDEEP:49152:fvdCka90J5FJ8n2uRrH12SSSAt4VOZkT7LZc8/:fg65FOnRZAt4VObK
                                                    MD5:B0CA93CEB050A2FEFF0B19E65072BBB5
                                                    SHA1:7EBBBBE2D2ACD8FD516F824338D254A33B69F08D
                                                    SHA-256:0E93313F42084D804B9AC4BE53D844E549CFCAF19E6F276A3B0F82F01B9B2246
                                                    SHA-512:37242423E62AF30179906660C6DBBADCA3DC2BA9E562F84315A69F3114765BC08E88321632843DBD78BA1728F8D1CE54A4EDFA3B96A9D13E540AEE895AE2D8E2
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....W..................)...........)...... )...@...........................1.......................................+......`+.f8...@/..T....................+..{..................................................`j+.......+......................text.....(.......(................. ..`.itext...,....(.......(............. ..`.data...d.... ).......).............@....bss....x.....).......)..................idata..f8...`+..:....).............@....didata.......+.......).............@....edata........+.......).............@..@.reloc...{....+..|....).............@..B.rsrc....T...@/..T...n-.............@..@..............1......./.............@..@................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WhatsNew-Russian.txt

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):753
                                                    Entropy (8bit):4.790660863727601
                                                    Encrypted:false
                                                    SSDEEP:12:S1GigXIRp5nuIAoOjyCiQvg13vNIsQFDedsCpsiM0icl2GtuOZnE:S1GZW/RIvqjQNC1iclWoE
                                                    MD5:622F3D0B51D18328020F858C77AC4A9C
                                                    SHA1:84EC68B009C254FBCBF8D0FE38917E27EEE26392
                                                    SHA-256:4F39DE7B48D8CD80F40267250DF737619C122C260E982CA64029CE6BBC852D95
                                                    SHA-512:1F9712BE02005380A52806478EB316D9D9F212CEDFD7458EB337B9534823DDD5AD69E4F2D968D8CE8825286372A1DA90423A8EF0E0BBA6068DEAEEFF228656FA
                                                    Malicious:false
                                                    Preview:.. ... ...... . ......... ......... ------------------------------.......... .. Files Inspector 4.15.. --------------------.... * . ....... ........... (... ....... ............) ...... ..... ..... ....... .. .. ............ ..... ......... . ......... ........... * .......... ......... .. ......... .........., .............. . ...... ...... .. ......... ... ..... ....... .. ......... ........ ....... ........ . ......, .. ..... ........... .. ....... ......... ..... . .......... .... * .......... ...... . ....... "......... . ....": .... ........... ......... .. .. ..... "......... . ........." .. ....... (........) ......., ... .. ........... .. ..... ........... Files Inspector.......

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WhatsNew.txt

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):782
                                                    Entropy (8bit):4.376851114759592
                                                    Encrypted:false
                                                    SSDEEP:24:SECmCTHFMW0uu4UHqCq9CMXdNC+pjnR0bZ:SpmfruAzqQMSscZ
                                                    MD5:26C76E66CF53CF7767F08C00E4659B09
                                                    SHA1:0907744FE2D42EBB9B53BE23AD28DDDB256ACBD2
                                                    SHA-256:5CBD87A6585C0BBC9904DFF390D98333C36DD7728FBB67ECE896BDD93ABFD066
                                                    SHA-512:874746B34FE44BA42E3AEBB691B446AD6A8F7CEDA52CA35C99B2A06AB754E4538931EB3BB3D2BEB71196102BD1516A14DDFE9235F94BFD42D117C596A8129B39
                                                    Malicious:false
                                                    Preview:.. What's New in the Latest Version.. --------------------------------...... Files Inspector 4.15.. --------------------.... * In the notification section (under the bell icon), you can now .. find news from the official program blog and educational articles..... * Tooltips, which appear in different parts of the program to help .. users learn how to use it most effectively, have been improved. A .. close button and a button to respond to program requests directly .. within the tooltip have been added..... * Bug fixed in the Applications and Games section: If you move an .. application from the "System and Service" folder to the top (root) .. level, it does not stay there after you restart Files Inspector.........

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,1.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):517760
                                                    Entropy (8bit):6.211950186401596
                                                    Encrypted:false
                                                    SSDEEP:6144:Qw9R9eQz5CtIqB2rXx9pLPolyKaU/VWXrx/JWlT+NQljVdohHpaBOv/wEQqYn1Hl:/1Rz5ZrpglyedFTohpGOm1l
                                                    MD5:F96606642F2747B1FD5F2C859E120472
                                                    SHA1:7D97D001540575653C0A6C4806B210FBB85307BC
                                                    SHA-256:3716685133159B8A0716987641B22BA90C7208A83EC18784C80B19ADB1789C95
                                                    SHA-512:F86CB9E688C06C58DAB82CE778E099D0FBA55EBEE72688D3EF6510EFABFA22D5324BE60F0F6E3D4B5AB36001320861BE575B2B648DBEA7C6DC48E25A669ABDFD
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................z.........................1............O...D.....D.....D.]....D.....Rich...................PE..d...{IN^.........." ........."......................................................T.....`.........................................0...P........................B.......@..............p.......................(.......................`............................text............................... ..`.rdata...b.......d..................@..@.data....d... ...J..................@....pdata...B.......B...N..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\WinRTApps,2.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):431232
                                                    Entropy (8bit):6.595644118947377
                                                    Encrypted:false
                                                    SSDEEP:12288:+i6uSO+hcBDS/60Q7eAPlw9zBrSS0nEe3sK4wk2G:DWcBDSYvlwLSSTe8K4wvG
                                                    MD5:0E53CD8997AB346A4AF5B9D19BE1A98B
                                                    SHA1:378ACC6333E975E5409E04074D2D1CF83C5FE619
                                                    SHA-256:6113B459870B07AA3055E0EE645D6F3DDBE8E7931BB0ABCD3A9736F62561D1FF
                                                    SHA-512:953DAAE2372CB29810BF1C879DD6459BE27C17466E8F615D20D39CE497584E536D66F8956467C50A23734561FBD8CDB22CADF5AC5C28F76FBED4D26CEFB2FFB7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6...e...e...e...d...e...dp..e...d...e...d...e...d...e...d...e..e...e...d...e...e^..eO..d...eO..d...eO.ge...eO..d...eRich...e........................PE..L......]...........!.....F..........hr.......`......................................:.....@.............................P...@........0...............T...@...@...F..0K..p...................@L.......K..@............`.. ............................text....E.......F.................. ..`.rdata...}...`...~...J..............@..@.data....O.......B..................@....rsrc........0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\eBooks\Meal.wav

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                    Category:dropped
                                                    Size (bytes):1911886
                                                    Entropy (8bit):7.559298207966295
                                                    Encrypted:false
                                                    SSDEEP:49152:DfN77nrR+8A7m+QMXouCi8/n4FbpijxXNnk68mktXl:DfN77U7m+nouCdf4oNn9kv
                                                    MD5:1ADB1764E42021F4049B1AE9F2E1D614
                                                    SHA1:813DF01FF0A7562F1D0A02AB1F60F3F60435ABD4
                                                    SHA-256:88183AFFE3E1FEB95C8B9F55B2D4A63BCBD1E8B40B901EC01BDCAA15A6D442A1
                                                    SHA-512:E3D4F0EFB59A7F77B5940A0A3C26AEC5A5E879DC42F951376BB6C5E4184F137BD624D766C10B6315294860CB0B7113FF2FD6B4D09C89B4F9421B73705DD5E647
                                                    Malicious:false
                                                    Preview:RIFFF,..WAVEfmt ........D...........LIST....INFOISFT....Lavf57.83.100.data.,..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.!.<.<.2.2.:.:././.;.;.....:.:.-.-.;.;.*.*.8.8.'.'.6.6.'.'.6.6.&.&.6.6.(.(...............................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\gdiplus.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1729832
                                                    Entropy (8bit):6.747423032766495
                                                    Encrypted:false
                                                    SSDEEP:24576:giHQhZy6MotzRTX4UTKaSxEV+y0MTxpcep1jSa0GDBkHWRobqUT:giwDyMdrTWx+YElnjSUuHLqUT
                                                    MD5:52AA4A2F1187B461C97F4A9AE6C6C54D
                                                    SHA1:DC2EA68AB7C69DD7EE6C47178C6CF5B65C7A087A
                                                    SHA-256:830C39D0063BA9B96B997BAB43D48C5A2D82E83754BB16EA1DB820A4FCF215DE
                                                    SHA-512:C748D75DF1F07A74FBC49B7DF425ECD3260BE5A29B0C5CB7EE79B6B25C92A82D1B8911EBBBDFAB2F0C756F4B70D1434C807A6370DA96AF7551A3196F40C985F0
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z..>..mm..mm..mm.0m..mm..lmK.mm.bm..mm.2m.mm.1m..mm.3m..mm..m..mm.7m..mmRich..mm........................PE..L...C..H...........!.........`......m..............J.........................`.......................................2..CN......x....................P..(........x......8...............................@...............D............................text...j........................... ..`.data..............................@...Shared..............................@....rsrc............ ..................@..@.reloc...x..........................@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\jdefend.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):9116352
                                                    Entropy (8bit):6.747641159297999
                                                    Encrypted:false
                                                    SSDEEP:196608:7TX1m7a8USvrHfag5HFUFUXSk0zGrfCXv9GKbTK8mZWvqOME:7xm9UamgdFUFUXSk0zGrfCXv4KbTujOx
                                                    MD5:BA095598CFFB424C202781656CA2F2A7
                                                    SHA1:013486F84ABA2A89955C6A62DEF2FD9524DBA151
                                                    SHA-256:F7B8D216B27FA51D835D262EE55FBD836D08B4F413E42BAD38DEA658F1779AED
                                                    SHA-512:687223DA11C8E0507A57B8480421400CBC44476EE94407E3601A8797E86449F95BF72CE47520071816523B40377509A27CFBDAB29EAC7C97F68C4411A852229C
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$............tzO.tzO.tzO..yN.tzO...NntzO..~N.tzO..O.tzO..yN.tzO..~N.tzO...N.tzO.tzO.tzO1.~N.wzO3..N.tzO1..N.uzO..|N.tzO..{N.tzO.t{O.uzO3.sN.tzO3.zN.tzO3.O.tzO3.xN.tzORich.tzO........PE..L...x.Pg...........!...*.dq..j.......o^.......q...........................................@.............................................................H.......5..................................P~..@.............q..............................text....cq......dq................. ..`.rdata........q......hq.............@..@.data... Q...0......................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\links.xml

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):255
                                                    Entropy (8bit):4.923451311843341
                                                    Encrypted:false
                                                    SSDEEP:3:vFWWMNHUzRZtcfVWDSLjXPQig6WiJ7kNfCq2RK9C+LbTEK9gDL4vHpQig6WgQMfo:TMV0RZtc0OLjXtOq7kEL+qDL4P/OgQEu
                                                    MD5:A09CD34D7B0C5D9855E09181C6DD72E8
                                                    SHA1:D6B1FA061C69BC773922336824ED8B6040B9690C
                                                    SHA-256:C7B45450BF29B9E7DBCE2B7EBC0583875EDD233180EECA698B2B681C5DA9200D
                                                    SHA-512:B6AF8CD55D1361E248091E4DE08A13F6DEABAA5E129AEF6A29F161916682AB8A9133955E418BCDA0E79CDD053F0872C0D1B2525E5FAFA275F431886D88580EA1
                                                    Malicious:false
                                                    Preview:<?xml version="1.0"?>..<Root><Default>https://www.chemtable.com/order_files_inspector_online.htm</Default><LocalizedLinks><Languages><Item>Russian</Item></Languages><URL>https://chemtable.ru/order_files_inspector_online.htm</URL></LocalizedLinks></Root>..

                                                    C:\Users\user\AppData\Local\Temp\Efeeedsf

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Hhdryao

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):106496
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Itefhqeafir

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):106496
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Odherippqeip

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):51200
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Reedsqspduarequ

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):106496
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Shwarfd

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):98304
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Shwarfd-shm

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):0.017262956703125623
                                                    Encrypted:false
                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                    Malicious:false
                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Steqqehqwsssiao

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):40960
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Tpqppdyitteqpi

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Tuoyiteiuq

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\47502a.msi

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Audio Reader XL Premium, Author: IN MEDIAKG TI, Keywords: Installer, Comments: This installer database contains the logic and data required to install Audio Reader XL Premium., Template: Intel;1033, Revision Number: {F42B81C2-97E3-4FE6-BB7D-FDC864EFC273}, Create Time/Date: Wed Dec 4 21:17:08 2024, Last Saved Time/Date: Wed Dec 4 21:17:08 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                    Category:dropped
                                                    Size (bytes):14462976
                                                    Entropy (8bit):7.995795486374199
                                                    Encrypted:true
                                                    SSDEEP:393216:GDFCbAjiImi73v4JPUQ6Rm1feeuQx1qbvto:GRCbAjCK6PEm12ZQx1qbFo
                                                    MD5:5D2922491B47E1C355103194E069E5AC
                                                    SHA1:EB918F926C9CC2F9239F1DFE0380727C8170982C
                                                    SHA-256:C348002E3D2CF40A2FC3C819A96B1735DC451BB3EC32BA9355FEACCD3EEE63C0
                                                    SHA-512:522BE674A5FB20AF9A4FA42315AE8E780DF3310F5B0EA8FECCCA1CF788CD6AF542226AED65E9C6F7353D2DAF954522F4067880626A2CCF4B7793178B57EB0BD9
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\47502c.msi

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Audio Reader XL Premium, Author: IN MEDIAKG TI, Keywords: Installer, Comments: This installer database contains the logic and data required to install Audio Reader XL Premium., Template: Intel;1033, Revision Number: {F42B81C2-97E3-4FE6-BB7D-FDC864EFC273}, Create Time/Date: Wed Dec 4 21:17:08 2024, Last Saved Time/Date: Wed Dec 4 21:17:08 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                    Category:dropped
                                                    Size (bytes):14462976
                                                    Entropy (8bit):7.995795486374199
                                                    Encrypted:true
                                                    SSDEEP:393216:GDFCbAjiImi73v4JPUQ6Rm1feeuQx1qbvto:GRCbAjCK6PEm12ZQx1qbFo
                                                    MD5:5D2922491B47E1C355103194E069E5AC
                                                    SHA1:EB918F926C9CC2F9239F1DFE0380727C8170982C
                                                    SHA-256:C348002E3D2CF40A2FC3C819A96B1735DC451BB3EC32BA9355FEACCD3EEE63C0
                                                    SHA-512:522BE674A5FB20AF9A4FA42315AE8E780DF3310F5B0EA8FECCCA1CF788CD6AF542226AED65E9C6F7353D2DAF954522F4067880626A2CCF4B7793178B57EB0BD9
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI553B.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):9543
                                                    Entropy (8bit):5.759994998005076
                                                    Encrypted:false
                                                    SSDEEP:192:de88YRZVrgHlNodjZj50Vb6elJnETnHW4z:dTXgFNGjUV/JeWg
                                                    MD5:1588E2256ADBAA04ED8B6C7B1C92ACF0
                                                    SHA1:BB208766A4B3A217CDB19E2C40095975E1582AC6
                                                    SHA-256:7D5DF727C8EABF09974EEBFD893ECB729B457CF32F1B77A808F91F7FAEBC1A8B
                                                    SHA-512:A743DA5704BE9ADF35840E4ADA4A0C8D38C12E17D254A8297FB171BFDEA66CBB8C21C76D3AD72B13D1CCFE579E2A19C9D38E32561F806D9E6C237602034314A0
                                                    Malicious:false
                                                    Preview:...@IXOS.@.....@,R.Y.@.....@.....@.....@.....@.....@......&.{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}..Audio Reader XL Premium..cloudflare.msi.@.....@.....@.....@........&.{F42B81C2-97E3-4FE6-BB7D-FDC864EFC273}.....@.....@.....@.....@.......@.....@.....@.......@......Audio Reader XL Premium......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{69ACFB11-8974-7600-BE76-FB33A2985E33}V.C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CharcoalDarkSlate.vsf.@.......@.....@.....@......&.{73617013-F5DE-07AB-793A-5A906368C1DE}U.C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\CloseApplication.dll.@.......@.....@.....@......&.{EB597F34-5CA9-86B7-A290-3FD80E69853C}T.C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\License-Russian.txt.@.......@.....@.....@......&.{7C63DA7D-A151-8DE2-2017-642FB5D89B29}L.C:\Users\user\A

                                                    C:\Windows\Installer\SourceHash{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.1639010927641986
                                                    Encrypted:false
                                                    SSDEEP:12:JSbX72FjaSAGiLIlHVRpZh/7777777777777777777777777vDHFLzit/l0i8Q:JPQI5tMiF
                                                    MD5:C534B68C7405112599FB0DC712F4952B
                                                    SHA1:ABC147A891EC472FC97EC1CDDE4CB95CCA03C7DD
                                                    SHA-256:28B657D11B4BB3BDD98324511A34DD4312454BC2BA74AAD9AF8BDA83423B6C29
                                                    SHA-512:4FB33FD39A6B3B86D09B389C3D2300C2F16A92AB103DD9142B7A3FA8A04AA19B18E3C0CCBC27B5B80347E3AE1D6297BB938021E9CC97C5C88F49B13749C6FF55
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.5060591360020226
                                                    Encrypted:false
                                                    SSDEEP:48:48PhiuRc06WXJSFT5yzucG1B0S50rlcG1B0SIRB:Hhi1JFT+HY
                                                    MD5:A9F64934AFBAFBE2500170B52541B6BD
                                                    SHA1:EA71AC68A6D2C510B10890CBA84A21E8A89D9D74
                                                    SHA-256:B831F939F66EF059C89546525AF41DDCFA017A790D3EB936AAD200567A9E71E8
                                                    SHA-512:1BF8C7FB396C0F42F0130643A70E6D49E3D1B851937697BFD37D9B2F51B34A77BD531B80928DAAAD8DA9D345711E376E407531D344E97D6B589FA1C706AF4D72
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):360001
                                                    Entropy (8bit):5.3629855524246794
                                                    Encrypted:false
                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaux:zTtbmkExhMJCIpEs
                                                    MD5:7565435661CA5615860CBA2F91AE54D4
                                                    SHA1:5145BF12380F6AD321DB13CB2F6ABDD2A4C969FA
                                                    SHA-256:B9ABEEFBBDCCB00747D2068E6990058E8E5E103EDEAC358661841F2B1042270C
                                                    SHA-512:78C6AFF934FE8A7C21A5E065E8FEBFA731B7B2E3202BEFC9BF5E20422A6A915265F8A8366F643CEEF1A00D747D2E535D0751F772516E53494218CD74DCDEFBC3
                                                    Malicious:false
                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                    C:\Windows\Temp\~DF0193DB89DC99C9AF.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF3C732E24B520FB0D.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):69632
                                                    Entropy (8bit):0.12114843681218518
                                                    Encrypted:false
                                                    SSDEEP:24:iHeBwY8OwVWG0eBwbipVkwVWG0eBwbipV7VgwG7Plrkgq+6:dBMLcG1B0SLcG1B0S50rqb
                                                    MD5:DAF50F5D2945EA9213F91F780A262811
                                                    SHA1:28B7DACFAEC904CE7B09175797FD88FDC9F595D9
                                                    SHA-256:FE298CE918D31E6E37F75BBB3C89AAD00C011D613EB181FC073E6E598AB1E671
                                                    SHA-512:22235D98FA4305B1713210859DAD6073863A57F41673FAD41A6E3D0650B842F4A3C532DAC3B224BFEEBEBD9E8071AA14FEDAE294F327557DA7700E3034A52EEE
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF481F87A370138D0C.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF5A044599A54808E7.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF63E48DD65B4168CC.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.5060591360020226
                                                    Encrypted:false
                                                    SSDEEP:48:48PhiuRc06WXJSFT5yzucG1B0S50rlcG1B0SIRB:Hhi1JFT+HY
                                                    MD5:A9F64934AFBAFBE2500170B52541B6BD
                                                    SHA1:EA71AC68A6D2C510B10890CBA84A21E8A89D9D74
                                                    SHA-256:B831F939F66EF059C89546525AF41DDCFA017A790D3EB936AAD200567A9E71E8
                                                    SHA-512:1BF8C7FB396C0F42F0130643A70E6D49E3D1B851937697BFD37D9B2F51B34A77BD531B80928DAAAD8DA9D345711E376E407531D344E97D6B589FA1C706AF4D72
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF8893FE8018619F61.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.2105748413563577
                                                    Encrypted:false
                                                    SSDEEP:48:q9quIPveFXJjT58zucG1B0S50rlcG1B0SIRB:Oq47TkHY
                                                    MD5:C6E7AEE9E064CB6C796EF2C250122335
                                                    SHA1:FE86E682981F352EF4D9D90681C59BD5D8EF8F3A
                                                    SHA-256:720E712E71074B22B407D1DA828EF1D7D49C02D0923C93B096EDDDDB811A9BF3
                                                    SHA-512:56F8FEAB3F61F9608D2E9B4B2AF94A6E3608B77FFB33285832F60DAD5233953068DC41138FA816ABBC370C1C81CAE08B307BE7BC59F39980B0F1ECA53393E006
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF916884B4FACA16E7.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF986860EB55264D84.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.2105748413563577
                                                    Encrypted:false
                                                    SSDEEP:48:q9quIPveFXJjT58zucG1B0S50rlcG1B0SIRB:Oq47TkHY
                                                    MD5:C6E7AEE9E064CB6C796EF2C250122335
                                                    SHA1:FE86E682981F352EF4D9D90681C59BD5D8EF8F3A
                                                    SHA-256:720E712E71074B22B407D1DA828EF1D7D49C02D0923C93B096EDDDDB811A9BF3
                                                    SHA-512:56F8FEAB3F61F9608D2E9B4B2AF94A6E3608B77FFB33285832F60DAD5233953068DC41138FA816ABBC370C1C81CAE08B307BE7BC59F39980B0F1ECA53393E006
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFB9075E916DCC9FC3.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):0.07102696039982931
                                                    Encrypted:false
                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOgU1+gVky6lit/:2F0i8n0itFzDHFLAit/
                                                    MD5:8A74DF7AAFCCA732BC21A49EAADF0E9E
                                                    SHA1:983F716E1030A4AC17F4054D559F112AF626D41B
                                                    SHA-256:20DC70296BE1AFD3A9673B5FB8562C01BCF96381E694CCDFF80C9EF76C89E5E4
                                                    SHA-512:C119CC1C3813DC2AA16DF1157BDAA4166BE6C8C10FD1896256216951538A2F280463EEB7108B3CD6ECAB56EA841831644984ED304AE56B436ABFE0B3AFBBF580
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFC0C8FB9A638FAC5B.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.5060591360020226
                                                    Encrypted:false
                                                    SSDEEP:48:48PhiuRc06WXJSFT5yzucG1B0S50rlcG1B0SIRB:Hhi1JFT+HY
                                                    MD5:A9F64934AFBAFBE2500170B52541B6BD
                                                    SHA1:EA71AC68A6D2C510B10890CBA84A21E8A89D9D74
                                                    SHA-256:B831F939F66EF059C89546525AF41DDCFA017A790D3EB936AAD200567A9E71E8
                                                    SHA-512:1BF8C7FB396C0F42F0130643A70E6D49E3D1B851937697BFD37D9B2F51B34A77BD531B80928DAAAD8DA9D345711E376E407531D344E97D6B589FA1C706AF4D72
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFF55143F0CF381411.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFF82D0BCE9FA84352.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.2105748413563577
                                                    Encrypted:false
                                                    SSDEEP:48:q9quIPveFXJjT58zucG1B0S50rlcG1B0SIRB:Oq47TkHY
                                                    MD5:C6E7AEE9E064CB6C796EF2C250122335
                                                    SHA1:FE86E682981F352EF4D9D90681C59BD5D8EF8F3A
                                                    SHA-256:720E712E71074B22B407D1DA828EF1D7D49C02D0923C93B096EDDDDB811A9BF3
                                                    SHA-512:56F8FEAB3F61F9608D2E9B4B2AF94A6E3608B77FFB33285832F60DAD5233953068DC41138FA816ABBC370C1C81CAE08B307BE7BC59F39980B0F1ECA53393E006
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Audio Reader XL Premium, Author: IN MEDIAKG TI, Keywords: Installer, Comments: This installer database contains the logic and data required to install Audio Reader XL Premium., Template: Intel;1033, Revision Number: {F42B81C2-97E3-4FE6-BB7D-FDC864EFC273}, Create Time/Date: Wed Dec 4 21:17:08 2024, Last Saved Time/Date: Wed Dec 4 21:17:08 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                    Entropy (8bit):7.995795486374199
                                                    TrID:
                                                    • Microsoft Windows Installer (60509/1) 88.31%
                                                    • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                                    File name:cloudflare.msi
                                                    File size:14'462'976 bytes
                                                    MD5:5d2922491b47e1c355103194e069e5ac
                                                    SHA1:eb918f926c9cc2f9239f1dfe0380727c8170982c
                                                    SHA256:c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0
                                                    SHA512:522be674a5fb20af9a4fa42315ae8e780df3310f5b0ea8feccca1cf788cd6af542226aed65e9c6f7353d2daf954522f4067880626a2ccf4b7793178b57eb0bd9
                                                    SSDEEP:393216:GDFCbAjiImi73v4JPUQ6Rm1feeuQx1qbvto:GRCbAjCK6PEm12ZQx1qbFo
                                                    TLSH:D3E63371B0D0003DE5C2AB72888252F72B298FA35EB87D1B99237C7478F72DA26574D1
                                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                                    File Icon

                                                    Icon Hash:2d2e3797b32b2b99

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-11T16:19:20.342255+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.649985193.188.22.40443TCP
                                                    2024-12-11T16:19:21.429638+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.649988193.188.22.41443TCP
                                                    2024-12-11T16:19:22.638957+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.64999289.116.191.177443TCP
                                                    2024-12-11T16:19:23.715965+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.649995213.210.13.4443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 11, 2024 16:18:33.205986023 CET4988753192.168.2.68.8.8.8
                                                    Dec 11, 2024 16:18:33.325331926 CET53498878.8.8.8192.168.2.6
                                                    Dec 11, 2024 16:18:33.325525045 CET4988753192.168.2.68.8.8.8
                                                    Dec 11, 2024 16:18:36.230657101 CET53498878.8.8.8192.168.2.6
                                                    Dec 11, 2024 16:18:36.230772018 CET4988753192.168.2.68.8.8.8
                                                    Dec 11, 2024 16:18:36.925396919 CET49893443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:18:36.925448895 CET44349893193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:18:36.925528049 CET49893443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:18:36.990717888 CET49893443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:18:36.990761042 CET44349893193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:18:36.990777969 CET49893443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:18:36.990787029 CET44349893193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:18:36.990844965 CET44349893193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:18:38.018603086 CET49899443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:18:38.018661022 CET44349899193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:18:38.018728971 CET49899443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:18:38.081234932 CET49899443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:18:38.081254959 CET44349899193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:18:38.081289053 CET49899443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:18:38.081296921 CET44349899193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:18:38.081342936 CET44349899193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:18:39.101597071 CET49900443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:18:39.101706028 CET4434990089.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:18:39.101780891 CET49900443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:18:39.155961990 CET49900443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:18:39.155961990 CET49900443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:18:39.156003952 CET4434990089.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:18:39.156018972 CET4434990089.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:18:39.156055927 CET4434990089.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:18:40.174428940 CET49905443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:18:40.174501896 CET44349905213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:18:40.174832106 CET49905443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:18:40.244729996 CET49905443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:18:40.244774103 CET44349905213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:18:40.244796038 CET49905443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:18:40.244806051 CET44349905213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:18:40.244827986 CET44349905213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:20.283485889 CET49985443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:20.283548117 CET44349985193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:20.283643961 CET49985443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:20.342255116 CET49985443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:20.342283010 CET44349985193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:20.342331886 CET49985443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:20.342336893 CET44349985193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:20.342359066 CET44349985193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:21.362127066 CET49988443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:21.362175941 CET44349988193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:21.362236977 CET49988443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:21.429637909 CET49988443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:21.429662943 CET44349988193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:21.429722071 CET44349988193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:21.429769993 CET49988443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:21.429784060 CET44349988193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:22.570497990 CET49992443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:22.570574045 CET4434999289.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:22.570628881 CET49992443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:22.638957024 CET49992443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:22.639015913 CET4434999289.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:22.639062881 CET49992443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:22.639070988 CET4434999289.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:22.639094114 CET4434999289.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:23.658066034 CET49995443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:23.658107042 CET44349995213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:23.658157110 CET49995443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:23.715965033 CET49995443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:23.715987921 CET44349995213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:23.716058016 CET44349995213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:23.716099977 CET49995443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:23.716114998 CET44349995213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:23.728243113 CET49996443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:23.728303909 CET44349996193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:23.728358030 CET49996443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:23.797766924 CET49996443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:23.797791004 CET44349996193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:23.797826052 CET49996443192.168.2.6193.188.22.40
                                                    Dec 11, 2024 16:19:23.797833920 CET44349996193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:23.798178911 CET44349996193.188.22.40192.168.2.6
                                                    Dec 11, 2024 16:19:23.808804989 CET49997443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:23.808861017 CET44349997193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:23.808938980 CET49997443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:23.873961926 CET49997443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:23.873980045 CET44349997193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:23.874041080 CET49997443192.168.2.6193.188.22.41
                                                    Dec 11, 2024 16:19:23.874047995 CET44349997193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:23.874053955 CET44349997193.188.22.41192.168.2.6
                                                    Dec 11, 2024 16:19:23.884790897 CET49998443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:23.884841919 CET4434999889.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:23.884912968 CET49998443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:23.942169905 CET49998443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:23.942199945 CET4434999889.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:23.942248106 CET49998443192.168.2.689.116.191.177
                                                    Dec 11, 2024 16:19:23.942249060 CET4434999889.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:23.942265034 CET4434999889.116.191.177192.168.2.6
                                                    Dec 11, 2024 16:19:23.950886965 CET49999443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:23.950930119 CET44349999213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:23.950997114 CET49999443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:24.006602049 CET49999443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:24.006622076 CET44349999213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:24.006663084 CET44349999213.210.13.4192.168.2.6
                                                    Dec 11, 2024 16:19:24.006675959 CET49999443192.168.2.6213.210.13.4
                                                    Dec 11, 2024 16:19:24.006689072 CET44349999213.210.13.4192.168.2.6

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 11, 2024 16:17:17.792079926 CET1.1.1.1192.168.2.60x6423No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                    Dec 11, 2024 16:17:17.792079926 CET1.1.1.1192.168.2.60x6423No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:1
                                                    Start time:10:17:20
                                                    Start date:11/12/2024
                                                    Path:C:\Windows\System32\msiexec.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\cloudflare.msi"
                                                    Imagebase:0x7ff6d6b50000
                                                    File size:69'632 bytes
                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:10:17:20
                                                    Start date:11/12/2024
                                                    Path:C:\Windows\System32\msiexec.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                    Imagebase:0x7ff6d6b50000
                                                    File size:69'632 bytes
                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:3
                                                    Start time:10:17:23
                                                    Start date:11/12/2024
                                                    Path:C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe"
                                                    Imagebase:0x400000
                                                    File size:2'364'872 bytes
                                                    MD5 hash:5D8A546C266CC1D2F14B3BE5C662C67A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2319331288.0000000006688000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000002.3517175546.0000000008909000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000002.3510975434.0000000008350000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2323823864.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000003.00000003.2331632512.00000000071A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:6.9%
                                                      Dynamic/Decrypted Code Coverage:38.2%
                                                      Signature Coverage:6.7%
                                                      Total number of Nodes:492
                                                      Total number of Limit Nodes:31
                                                      execution_graph 6846 b420b0 6847 b420b8 6846->6847 6848 b4218f 6847->6848 6850 b420e3 6847->6850 6849 b42196 GetActiveObject 6848->6849 6852 b420e9 6849->6852 6851 b4210c GetActiveObject 6850->6851 6850->6852 6851->6852 7078 af41e8 7079 af4201 7078->7079 7080 af4276 FreeLibrary 7079->7080 7081 af429a ExitProcess 7079->7081 7080->7079 6995 6c8acd80 6998 6c8acde3 6995->6998 6996 6c8acded 6997 6c8ace62 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 6997->6998 6998->6996 6998->6997 6941 6c8bcc47 6946 6c8bdd8c 6941->6946 6943 6c8bcc4c 6944 6c8bcc50 6943->6944 6952 6c8bddc8 6943->6952 6947 6c8bdd95 ___vcrt_InitializeCriticalSectionEx 6946->6947 6948 6c8bdda9 6947->6948 6949 6c8bddbe 6947->6949 6948->6947 6950 6c8bddba 6948->6950 6951 6c8bddc8 ___vcrt_uninitialize_locks DeleteCriticalSection 6949->6951 6950->6943 6951->6950 6953 6c8bddf2 6952->6953 6954 6c8bddd3 6952->6954 6953->6944 6955 6c8bdddd DeleteCriticalSection 6954->6955 6955->6953 6955->6955 6884 b120fc 6885 b121d0 6884->6885 6887 b12115 6884->6887 6886 b121b1 6887->6886 6888 b1219f CreateBrushIndirect 6887->6888 6888->6886 6956 6c8bdc46 6958 6c8bdcda 6956->6958 6960 6c8bdc5a 6956->6960 6957 6c8bdcd3 6959 6c8bdc95 ___TypeMatch 6959->6960 6960->6957 6960->6959 6961 6c8c6c5e 6962 6c8c6c6a 6961->6962 6964 6c8c6c9b 6962->6964 6965 6c8c2c43 GetLastError 6962->6965 6967 6c8c2c59 6965->6967 6968 6c8c2c98 6967->6968 6969 6c8c2cd0 6967->6969 6971 6c8c2c63 SetLastError 6967->6971 6970 6c8c3a7d __freea 2 API calls 6968->6970 6972 6c8c3a7d __freea 2 API calls 6969->6972 6970->6971 6971->6964 6972->6971 6934 b3a020 73EA5CF0 6935 b3a051 6934->6935 6999 af61bc GetLocaleInfoA 7000 af61f7 6999->7000 7001 6c8c8d9b 7002 6c8c8dad 7001->7002 7003 6c8c8dba 7002->7003 7007 6c8c3eb1 7002->7007 7004 6c8c3a7d __freea 2 API calls 7003->7004 7006 6c8c8e0f 7004->7006 7012 6c8c3cce 7007->7012 7009 6c8c3ecd 7010 6c8c3eeb InitializeCriticalSectionAndSpinCount 7009->7010 7011 6c8c3ed6 7009->7011 7010->7011 7011->7002 7013 6c8c3cfe 7012->7013 7017 6c8c3cfa 7012->7017 7013->7017 7018 6c8c3c03 7013->7018 7016 6c8c3d18 GetProcAddress 7016->7017 7017->7009 7024 6c8c3c14 7018->7024 7019 6c8c3caa 7019->7016 7019->7017 7020 6c8c3c32 LoadLibraryExW 7021 6c8c3c4d GetLastError 7020->7021 7022 6c8c3cb1 7020->7022 7021->7024 7022->7019 7023 6c8c3cc3 FreeLibrary 7022->7023 7023->7019 7024->7019 7024->7020 7025 6c8c3c80 LoadLibraryExW 7024->7025 7025->7022 7025->7024 6889 b280e8 6890 b280ff 6889->6890 6891 b28123 IsWindowEnabled 6890->6891 6892 b2812d 6890->6892 6891->6892 6853 6c8c1c97 6854 6c8c1ca7 6853->6854 6855 6c8c1cae 6853->6855 6855->6854 6856 6c8c1d31 6855->6856 6857 6c8c1d77 6855->6857 6858 6c8c3a7d __freea 2 API calls 6856->6858 6859 6c8c1d8e 6857->6859 6860 6c8c1d98 6857->6860 6858->6854 6861 6c8c3a7d __freea 2 API calls 6859->6861 6863 6c8c3a7d __freea 2 API calls 6860->6863 6862 6c8c1d96 6861->6862 6864 6c8c3a7d __freea 2 API calls 6862->6864 6863->6862 6864->6854 7026 6c8c2d97 7034 6c8c3db2 7026->7034 7029 6c8c2c43 4 API calls 7030 6c8c2db3 7029->7030 7031 6c8c2dc0 7030->7031 7039 6c8c2dc3 7030->7039 7033 6c8c2dab 7035 6c8c3cce 5 API calls 7034->7035 7036 6c8c3dce 7035->7036 7037 6c8c3de6 TlsAlloc 7036->7037 7038 6c8c2da1 7036->7038 7037->7038 7038->7029 7038->7033 7040 6c8c2dcd 7039->7040 7042 6c8c2dd3 7039->7042 7043 6c8c3df1 7040->7043 7042->7033 7044 6c8c3cce 5 API calls 7043->7044 7045 6c8c3e0d 7044->7045 7046 6c8c3e28 TlsFree 7045->7046 7047 6c8c3e16 7045->7047 7047->7042 7084 6c8c4d17 7088 6c8c4d26 7084->7088 7085 6c8c4e2e 7086 6c8c4e30 GetLastError 7086->7085 7087 6c8c4de5 WriteFile 7087->7086 7087->7088 7088->7085 7088->7086 7088->7087 6893 b440e8 6894 b4411e 6893->6894 6895 b44343 CoCreateInstance 6894->6895 6896 b44361 6895->6896 6898 b443b8 6895->6898 6897 b44393 CoCreateInstance 6896->6897 6897->6898 6973 b0e06c 6974 b0e07a 6973->6974 6975 b0e092 CharUpperBuffA 6974->6975 6976 b0e09b 6974->6976 6975->6976 6865 b300ac 6866 b300c2 6865->6866 6867 b3015e 6865->6867 6866->6867 6868 b300d3 GetMenuItemInfoA 6866->6868 6868->6867 6869 b30103 6868->6869 6869->6867 6870 b30125 SetMenuItemInfoA 6869->6870 6870->6867 6871 b30155 DrawMenuBar 6870->6871 6871->6867 7109 6c8c3d53 7110 6c8c3cce 5 API calls 7109->7110 7111 6c8c3d6f 7110->7111 6568 6c8bb6eb 6569 6c8bb6f9 6568->6569 6570 6c8bb6f4 ___security_init_cookie 6568->6570 6570->6569 6872 6c8c7eae 6873 6c8c7eb3 6872->6873 6874 6c8c7dc6 2 API calls 6873->6874 6875 6c8c7ebe 6874->6875 6936 6c8c4c2e 6937 6c8c4c3d 6936->6937 6938 6c8c4cb2 WriteFile 6937->6938 6940 6c8c4cfc 6937->6940 6938->6937 6939 6c8c4cfe GetLastError 6938->6939 6939->6940 7048 b2a190 7049 b2a1bb 7048->7049 7050 b2a24d 6F98E0E0 7049->7050 7051 b2a2d9 7050->7051 7052 b2a25d 7050->7052 7052->7051 7053 b2a28d 6F9BCFD0 7052->7053 7054 b2a2bc 6F9BCFD0 7052->7054 7053->7052 7054->7052 6680 6c885860 6683 6c8be7b2 6680->6683 6686 6c8c3a7d 6683->6686 6685 6c88586c 6687 6c8c3a88 RtlFreeHeap 6686->6687 6689 6c8c3aaa 6686->6689 6688 6c8c3a9d GetLastError 6687->6688 6687->6689 6688->6689 6689->6685 6690 6c882de0 6691 6c8bb7c0 6690->6691 6692 6c882df0 CoInitializeEx 6691->6692 6718 6c8835f0 6692->6718 6694 6c882e53 GetCurrentDirectoryW 6696 6c882e84 6694->6696 6695 6c88353a 6698 6c88353f Concurrency::cancel_current_task 6695->6698 6696->6695 6699 6c882f9e 6696->6699 6700 6c882f77 6696->6700 6703 6c882f6b 6696->6703 6717 6c8834d8 6698->6717 6701 6c8bb033 ___std_exception_copy 6699->6701 6700->6698 6702 6c882f82 6700->6702 6701->6703 6705 6c8bb033 ___std_exception_copy 6702->6705 6703->6717 6727 6c8bb033 6703->6727 6704 6c883549 In_Interface_Web 6705->6703 6706 6c88300e 6707 6c883233 GetCurrentProcessId 6706->6707 6706->6717 6731 6c882d30 6707->6731 6709 6c883240 6710 6c88326a Sleep 6709->6710 6711 6c883250 GetCurrentProcessId 6709->6711 6710->6707 6715 6c883277 6710->6715 6712 6c882d30 11 API calls 6711->6712 6713 6c88325d Sleep 6712->6713 6713->6709 6713->6711 6714 6c88351c 6715->6717 6736 6c8b2c70 6715->6736 6717->6704 6717->6714 6719 6c883618 6718->6719 6726 6c88364e 6718->6726 6720 6c88376c Concurrency::cancel_current_task 6719->6720 6721 6c88363d 6719->6721 6722 6c883692 6719->6722 6719->6726 6720->6726 6721->6720 6724 6c883648 6721->6724 6723 6c8bb033 ___std_exception_copy 6722->6723 6723->6726 6725 6c8bb033 ___std_exception_copy 6724->6725 6725->6726 6726->6694 6728 6c882860 6727->6728 6729 6c8bb052 6728->6729 6730 6c88287c ___std_exception_copy 6728->6730 6729->6706 6730->6706 6740 6c882c10 6731->6740 6733 6c882d5d 6734 6c882d71 ShowWindow 6733->6734 6735 6c882d8c 6733->6735 6734->6734 6734->6735 6735->6709 6737 6c8b2c7f 6736->6737 6738 6c8b2c85 6736->6738 6739 6c8be7b2 ___vcrt_freefls@4 2 API calls 6737->6739 6738->6717 6739->6738 6751 6c882ae0 6740->6751 6742 6c882ca8 IsWindowVisible 6744 6c882c8e 6742->6744 6743 6c882cfc 6743->6733 6744->6742 6746 6c882cd3 6744->6746 6768 6c883780 6744->6768 6746->6743 6747 6c882c10 8 API calls 6746->6747 6748 6c882d5d 6747->6748 6749 6c882d71 ShowWindow 6748->6749 6750 6c882d8c 6748->6750 6749->6749 6749->6750 6750->6733 6777 6c882a20 GetDesktopWindow GetTopWindow 6751->6777 6753 6c882b72 GetWindowThreadProcessId 6755 6c882b61 6753->6755 6754 6c882bdc 6754->6744 6755->6753 6756 6c882bb3 6755->6756 6757 6c883780 2 API calls 6755->6757 6756->6754 6758 6c882ae0 7 API calls 6756->6758 6757->6755 6761 6c882c8e 6758->6761 6759 6c882ca8 IsWindowVisible 6759->6761 6760 6c882cfc 6760->6744 6761->6759 6762 6c883780 2 API calls 6761->6762 6763 6c882cd3 6761->6763 6762->6761 6763->6760 6764 6c882c10 7 API calls 6763->6764 6765 6c882d5d 6764->6765 6766 6c882d71 ShowWindow 6765->6766 6767 6c882d8c 6765->6767 6766->6766 6766->6767 6767->6744 6770 6c8837ac 6768->6770 6776 6c8837ec 6768->6776 6769 6c8838c7 Concurrency::cancel_current_task 6769->6776 6770->6769 6771 6c8837f8 6770->6771 6772 6c88381f 6770->6772 6770->6776 6771->6769 6774 6c883803 6771->6774 6773 6c8bb033 ___std_exception_copy 6772->6773 6773->6776 6775 6c8bb033 ___std_exception_copy 6774->6775 6775->6776 6776->6744 6778 6c882aa0 6777->6778 6779 6c882abc GetWindow 6778->6779 6780 6c883780 2 API calls 6778->6780 6779->6778 6781 6c882aca 6779->6781 6780->6779 6781->6755 7083 6c8bbde3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6782 6c882ee2 6785 6c882eec 6782->6785 6783 6c88353a 6786 6c88353f Concurrency::cancel_current_task 6783->6786 6784 6c8bb033 ___std_exception_copy 6795 6c88300e 6784->6795 6785->6783 6787 6c882f6b 6785->6787 6788 6c882f9e 6785->6788 6789 6c882f77 6785->6789 6791 6c8834d8 6786->6791 6787->6784 6787->6791 6790 6c8bb033 ___std_exception_copy 6788->6790 6789->6786 6792 6c882f82 6789->6792 6790->6787 6793 6c883549 In_Interface_Web 6791->6793 6803 6c88351c 6791->6803 6794 6c8bb033 ___std_exception_copy 6792->6794 6794->6787 6795->6791 6796 6c883233 GetCurrentProcessId 6795->6796 6797 6c882d30 11 API calls 6796->6797 6798 6c883240 6797->6798 6799 6c88326a Sleep 6798->6799 6800 6c883250 GetCurrentProcessId 6798->6800 6799->6796 6804 6c883277 6799->6804 6801 6c882d30 11 API calls 6800->6801 6802 6c88325d Sleep 6801->6802 6802->6798 6802->6800 6804->6791 6805 6c8b2c70 2 API calls 6804->6805 6805->6791 6899 af80c4 6900 af2a90 6 API calls 6899->6900 6901 af80cf 6900->6901 6977 6c8b1c60 6978 6c8be7b2 ___vcrt_freefls@4 2 API calls 6977->6978 6979 6c8b1c69 6978->6979 7089 6c8ced20 7101 6c8ced84 7089->7101 7090 6c8cee5b 7091 6c8cee6a 7090->7091 7094 6c8cee67 CloseHandle 7090->7094 7092 6c8ceda1 7093 6c8cede3 ResetEvent 7092->7093 7095 6c8cedba OpenEventA 7092->7095 7106 6c8cedea 7093->7106 7094->7091 7097 6c8ceddc 7095->7097 7098 6c8cedd4 7095->7098 7096 6c8ceee1 WaitForSingleObjectEx 7096->7101 7097->7093 7097->7106 7098->7097 7100 6c8cedd9 CloseHandle 7098->7100 7099 6c8ceeb5 CreateEventA 7099->7101 7100->7097 7101->7090 7101->7092 7101->7096 7101->7099 7103 6c8ceed3 CloseHandle 7101->7103 7102 6c8cee54 SetEvent 7102->7090 7103->7101 7104 6c8cee48 7104->7091 7104->7102 7105 6c8cee27 CreateEventA 7105->7104 7107 6c8cee40 7105->7107 7106->7102 7106->7104 7106->7105 7107->7104 7108 6c8cee45 CloseHandle 7107->7108 7108->7104 6829 af1640 6830 af164f VirtualAlloc 6829->6830 6832 af169f 6830->6832 6833 af167c 6830->6833 6833->6832 6834 af168c VirtualFree 6833->6834 6834->6832 6980 6c8bcc79 6981 6c8bcc8c 6980->6981 6982 6c8bcc82 ___vcrt_uninitialize_ptd 6980->6982 6983 6c8bddc8 ___vcrt_uninitialize_locks DeleteCriticalSection 6982->6983 6983->6981 6571 af3f9c 6572 af3fe2 6571->6572 6573 af405b 6572->6573 6576 af41ec 6572->6576 6581 af3f2c 6573->6581 6577 af4276 FreeLibrary 6576->6577 6578 af429a 6576->6578 6577->6576 6579 af42a9 ExitProcess 6578->6579 6580 af42a3 6578->6580 6580->6579 6582 af3f77 6581->6582 6583 af3f41 6581->6583 6583->6582 6587 b41954 6583->6587 6591 af2a90 6583->6591 6595 af55c4 6583->6595 6588 b4196e GetVersion 6587->6588 6590 b41988 6587->6590 6599 b41720 GetCurrentProcessId 6588->6599 6590->6583 6592 af2a98 6591->6592 6593 af2aa0 6591->6593 6648 af243c 6592->6648 6593->6583 6596 af55f0 6595->6596 6597 af55d4 GetModuleFileNameA 6595->6597 6596->6583 6663 af5858 GetModuleFileNameA RegOpenKeyExA 6597->6663 6600 b4175c 6599->6600 6601 b41773 GlobalAddAtomA GetCurrentThreadId 6600->6601 6602 b417ad 6601->6602 6603 b417c4 GlobalAddAtomA 6602->6603 6604 af47c4 6603->6604 6605 b417da RegisterClipboardFormatA 6604->6605 6606 b417f1 6605->6606 6614 b25c84 6606->6614 6608 b4181a 6623 b26d98 6608->6623 6610 b41830 6611 b4185a GetModuleHandleA 6610->6611 6612 b4186a GetProcAddress 6611->6612 6613 b4187a 6611->6613 6612->6613 6613->6590 6615 b25c8e 6614->6615 6631 b26040 LoadCursorA 6615->6631 6618 b25cdd 6619 b25d19 73E9A570 73EA4620 73E9A480 6618->6619 6620 b25d4f 6619->6620 6635 b26490 6620->6635 6622 b25d8c 6622->6608 6624 b26da7 6623->6624 6625 b26e68 LoadIconA 6624->6625 6626 b16ad4 6625->6626 6627 b26e8b GetModuleFileNameA OemToCharA 6626->6627 6628 b26ed4 6627->6628 6629 b26f08 CharNextA CharLowerA 6628->6629 6630 b26f30 6629->6630 6630->6610 6632 b2605f 6631->6632 6633 b26078 LoadCursorA 6632->6633 6634 b25cc7 GetKeyboardLayout 6632->6634 6633->6632 6634->6618 6636 b264a9 6635->6636 6637 b264da SystemParametersInfoA 6636->6637 6638 b26505 GetStockObject 6637->6638 6639 b264ed CreateFontIndirectA 6637->6639 6640 b26503 6638->6640 6639->6640 6641 b26519 SystemParametersInfoA 6640->6641 6642 b26539 CreateFontIndirectA 6641->6642 6643 b2656d 6641->6643 6644 b11ab8 6642->6644 6646 b2657d GetStockObject 6643->6646 6645 b26552 CreateFontIndirectA 6644->6645 6647 b2656b 6645->6647 6646->6647 6647->6622 6649 af244e 6648->6649 6650 af2453 6648->6650 6656 af1be0 RtlInitializeCriticalSection 6649->6656 6652 af2480 RtlEnterCriticalSection 6650->6652 6653 af248a 6650->6653 6654 af245f 6650->6654 6652->6653 6653->6654 6655 af25cd RtlLeaveCriticalSection 6653->6655 6654->6593 6655->6654 6657 af1c05 RtlEnterCriticalSection 6656->6657 6658 af1c0f 6656->6658 6657->6658 6659 af1c2d LocalAlloc 6658->6659 6660 af1c47 6659->6660 6661 af1c9d RtlLeaveCriticalSection 6660->6661 6662 af1ca7 6660->6662 6661->6662 6662->6650 6664 af58da 6663->6664 6665 af589a RegOpenKeyExA 6663->6665 6668 af58ff RegQueryValueExA 6664->6668 6665->6664 6666 af58b8 RegOpenKeyExA 6665->6666 6666->6664 6667 af5963 lstrcpyn GetThreadLocale GetLocaleInfoA 6666->6667 6671 af599a 6667->6671 6672 af5a93 6667->6672 6669 af591f RegQueryValueExA 6668->6669 6670 af5941 RegCloseKey 6668->6670 6669->6670 6673 af593d 6669->6673 6670->6596 6671->6672 6674 af59aa lstrlen 6671->6674 6672->6596 6673->6670 6675 af59c3 6674->6675 6675->6672 6676 af5a1d 6675->6676 6677 af59f1 lstrcpyn LoadLibraryExA 6675->6677 6676->6672 6678 af5a27 lstrcpyn LoadLibraryExA 6676->6678 6677->6676 6678->6672 6679 af5a5d lstrcpyn LoadLibraryExA 6678->6679 6679->6672 6902 6c8c8cf8 6903 6c8c8d04 6902->6903 6904 6c8c8d15 6902->6904 6903->6904 6905 6c8c3a7d __freea 2 API calls 6903->6905 6905->6904 7055 b36184 7056 b36312 7055->7056 7057 b3619b 7055->7057 7058 b361c6 7057->7058 7059 b361b4 MulDiv 7057->7059 7060 b361ce MulDiv 7058->7060 7062 b361e2 7058->7062 7059->7058 7060->7062 7061 b36226 7065 b36276 7061->7065 7066 b36262 MulDiv 7061->7066 7067 b36247 MulDiv 7061->7067 7062->7061 7063 b36212 MulDiv 7062->7063 7064 b361f9 MulDiv 7062->7064 7063->7061 7064->7061 7068 b362c0 7065->7068 7069 b362a9 MulDiv 7065->7069 7066->7065 7067->7065 7070 b362d2 MulDiv 7068->7070 7071 b362e9 7068->7071 7069->7068 7070->7071 7071->7056 7072 b36303 MulDiv 7071->7072 7072->7056 6876 6c8c6eb4 6878 6c8c6ec2 6876->6878 6879 6c8c6edc 6876->6879 6877 6c8c6f18 GetLastError __dosmaperr 6877->6878 6879->6877 6879->6878 6906 6c8c2cf4 6907 6c8c2d07 6906->6907 6908 6c8c2d3f 6907->6908 6909 6c8c2d73 6907->6909 6912 6c8c2d13 6907->6912 6910 6c8c3a7d __freea 2 API calls 6908->6910 6911 6c8c3a7d __freea 2 API calls 6909->6911 6910->6912 6911->6912 6880 6c8a8cb0 6881 6c8a8d1a 6880->6881 6883 6c8a8f23 6880->6883 6882 6c8a8f2e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 6881->6882 6881->6883 6882->6883 6984 6c8bcc71 6987 6c8bceb9 6984->6987 6988 6c8bcc76 6987->6988 6989 6c8bcec3 ___vcrt_FlsGetValue ___vcrt_FlsSetValue 6987->6989 6991 6c8bce9d 6989->6991 6992 6c8bcea7 6991->6992 6993 6c8bceb4 6991->6993 6992->6993 6994 6c8be7b2 ___vcrt_freefls@4 2 API calls 6992->6994 6993->6988 6994->6993 6913 b340c8 6914 b340ed GetKeyState 6913->6914 6915 b341e6 6913->6915 6914->6915 6916 b3410f 6914->6916 6916->6915 6917 b3416c IsWindowVisible 6916->6917 6919 b341be PtInRect 6916->6919 6920 b34084 6916->6920 6917->6916 6919->6916 6922 b34098 6920->6922 6921 b340c1 6921->6916 6922->6921 6923 b340b3 IsChild 6922->6923 6923->6916 6924 6c8cdcf0 6925 6c8cdd7f 6924->6925 6926 6c8cdd87 ___std_exception_copy 6924->6926 6925->6926 6931 6c8cddfb 6926->6931 6927 6c8cdea7 6928 6c8cdecb ___std_exception_destroy 6927->6928 6929 6c8cdf20 6928->6929 6930 6c8cdf32 ___std_exception_destroy 6928->6930 6929->6930 6932 6c8cdf68 6930->6932 6931->6927 6933 6c8bb033 ___std_exception_copy 6931->6933 6933->6927 6806 6c8c7c71 6821 6c8c7dc6 6806->6821 6808 6c8c7c9b 6809 6c8c7cb4 6808->6809 6825 6c8c3ab7 6808->6825 6811 6c8c7cc5 6812 6c8c7ccd 6811->6812 6813 6c8c7cdb 6811->6813 6814 6c8c3a7d __freea 2 API calls 6812->6814 6815 6c8c7d13 6813->6815 6816 6c8c7d2e 6813->6816 6814->6809 6817 6c8c3a7d __freea 2 API calls 6815->6817 6818 6c8c3a7d __freea 2 API calls 6816->6818 6820 6c8c7d5a 6816->6820 6817->6809 6818->6820 6819 6c8c3a7d __freea 2 API calls 6819->6809 6820->6819 6822 6c8c7dd2 6821->6822 6823 6c8c7dec 6822->6823 6824 6c8c3a7d __freea 2 API calls 6822->6824 6823->6808 6824->6823 6827 6c8c3af3 6825->6827 6828 6c8c3ac5 6825->6828 6826 6c8c3ae0 RtlAllocateHeap 6826->6827 6826->6828 6827->6811 6828->6826 6828->6827 6835 b3e5cc 6836 b3e5d6 6835->6836 6839 b389c4 6836->6839 6838 b3e5ec 6840 b389d5 6839->6840 6843 b0dcd0 6840->6843 6842 b38a04 6842->6838 6844 b0dce0 VirtualAlloc 6843->6844 6845 b0dd0e 6843->6845 6844->6845 6845->6842

                                                      Executed Functions

                                                      Function 00AF5858 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00B470A4), ref: 00AF5873
                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00B470A4), ref: 00AF5891
                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00B470A4), ref: 00AF58AF
                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00AF58CD
                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00AF595C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00AF5916
                                                      • RegQueryValueExA.ADVAPI32(?,00AF5AD8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00AF595C,?,80000001), ref: 00AF5934
                                                      • RegCloseKey.ADVAPI32(?,00AF5963,00000000,?,?,00000000,00AF595C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00AF5956
                                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00AF5973
                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00AF5980
                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00AF5986
                                                      • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00AF59B1
                                                      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00AF5A06
                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00AF5A16
                                                      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00AF5A42
                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00AF5A52
                                                      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00AF5A7C
                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00AF5A8C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                      • API String ID: 1759228003-2375825460
                                                      • Opcode ID: 0a3174fa63416b5b3f56987f22cbcdc8a52c4f801e9ec57344ca1ee7c2873743
                                                      • Instruction ID: a3fcb3c19e0199123796a099a3514667c0b6199a617e1e04293df385ca3e16fa
                                                      • Opcode Fuzzy Hash: 0a3174fa63416b5b3f56987f22cbcdc8a52c4f801e9ec57344ca1ee7c2873743
                                                      • Instruction Fuzzy Hash: E4612271E4460EBEEB15EBE8CD86FFFB7BC9B08700F5041A1B744E6181D6B49A548B50
                                                      Function 00B41954 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVersion.KERNEL32(00000000,00B419DA), ref: 00B4196E
                                                        • Part of subcall function 00B41720: GetCurrentProcessId.KERNEL32(?,00000000,00B41898), ref: 00B41741
                                                        • Part of subcall function 00B41720: GlobalAddAtomA.KERNEL32(00000000), ref: 00B41774
                                                        • Part of subcall function 00B41720: GetCurrentThreadId.KERNEL32 ref: 00B4178F
                                                        • Part of subcall function 00B41720: GlobalAddAtomA.KERNEL32(00000000), ref: 00B417C5
                                                        • Part of subcall function 00B41720: RegisterClipboardFormatA.USER32(00000000), ref: 00B417DB
                                                        • Part of subcall function 00B41720: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00B41898), ref: 00B4185F
                                                        • Part of subcall function 00B41720: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00B41870
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                      • String ID:
                                                      • API String ID: 3775504709-0
                                                      • Opcode ID: 49f02484947a4e08271048ab03f7623cfe6c8f340ed31bcbb3d87d58cc00115a
                                                      • Instruction ID: ac8479eb59de81f5b1429b0ada5ade8d7962e4dc96ad6c6efcbcf6f41f61d4e7
                                                      • Opcode Fuzzy Hash: 49f02484947a4e08271048ab03f7623cfe6c8f340ed31bcbb3d87d58cc00115a
                                                      • Instruction Fuzzy Hash: 07F090782842018FD704FB28FD639197FE5F7553013A188B1F804836B2CE30AE22DB44
                                                      Function 00B41720 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00B41898), ref: 00B41741
                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00B41774
                                                      • GetCurrentThreadId.KERNEL32 ref: 00B4178F
                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00B417C5
                                                      • RegisterClipboardFormatA.USER32(00000000), ref: 00B417DB
                                                        • Part of subcall function 00B074B4: RtlInitializeCriticalSection.KERNEL32(00B04FF0,?,?,00B0DF7D,00000000,00B0DFA1), ref: 00B074D3
                                                        • Part of subcall function 00B41324: SetErrorMode.KERNEL32(00008000), ref: 00B4133D
                                                        • Part of subcall function 00B41324: GetModuleHandleA.KERNEL32(USER32,00000000,00B4148A,?,00008000), ref: 00B41361
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00B4136E
                                                        • Part of subcall function 00B41324: LoadLibraryA.KERNEL32(imm32.dll,00000000,00B4148A,?,00008000), ref: 00B4138A
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00B413AC
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00B413C1
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00B413D6
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00B413EB
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00B41400
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00B41415
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00B4142A
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00B4143F
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00B41454
                                                        • Part of subcall function 00B41324: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00B41469
                                                        • Part of subcall function 00B41324: SetErrorMode.KERNEL32(?,00B41491,00008000), ref: 00B41484
                                                        • Part of subcall function 00B25C84: GetKeyboardLayout.USER32(00000000), ref: 00B25CC9
                                                        • Part of subcall function 00B25C84: 73E9A570.USER32(00000000), ref: 00B25D1E
                                                        • Part of subcall function 00B25C84: 73EA4620.GDI32(00000000,0000005A,00000000), ref: 00B25D28
                                                        • Part of subcall function 00B25C84: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000), ref: 00B25D33
                                                        • Part of subcall function 00B26D98: LoadIconA.USER32(00000000,MAINICON), ref: 00B26E7D
                                                        • Part of subcall function 00B26D98: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00B26EAF
                                                        • Part of subcall function 00B26D98: OemToCharA.USER32(?,?), ref: 00B26EC2
                                                        • Part of subcall function 00B26D98: CharNextA.USER32(?,00000000,?,00000100), ref: 00B26F0F
                                                        • Part of subcall function 00B26D98: CharLowerA.USER32(00000000,?,00000000,?,00000100), ref: 00B26F15
                                                      • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00B41898), ref: 00B4185F
                                                      • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00B41870
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$A4620A480A570ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
                                                      • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                                      • API String ID: 814285418-1126952177
                                                      • Opcode ID: 769e1502aaebb5b0b2e589d914d3656d7414f360618e5509cb9d5ebfc2dec1d2
                                                      • Instruction ID: ed210437b73f9ee3406d2382dc49ddaa48ad7782c2c2c4c55054e503a29f0efb
                                                      • Opcode Fuzzy Hash: 769e1502aaebb5b0b2e589d914d3656d7414f360618e5509cb9d5ebfc2dec1d2
                                                      • Instruction Fuzzy Hash: 51413D78A142499FCB00FFB8ED829AE77F5FB1A304B5045A5F504EB362DF34AA409B54
                                                      Function 6C8BB507 Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • __RTC_Initialize.LIBCMT ref: 6C8BB54E
                                                      • ___scrt_uninitialize_crt.LIBCMT ref: 6C8BB568
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Initialize___scrt_uninitialize_crt
                                                      • String ID:
                                                      • API String ID: 2442719207-0
                                                      • Opcode ID: 6bd9675e2947852fd2d9e23a46a019c8fc181c7c03f86469d3c9ada31349d9fb
                                                      • Instruction ID: e34fe15a7a7542d6765374c4d1a467b567475a0fa2200e901665b705e183ecf3
                                                      • Opcode Fuzzy Hash: 6bd9675e2947852fd2d9e23a46a019c8fc181c7c03f86469d3c9ada31349d9fb
                                                      • Instruction Fuzzy Hash: 23419272E15619AEDB308F58CF80ABE3AB5EF46768F104929E81477B50D7318D058BA0
                                                      Function 00B26D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • LoadIconA.USER32(00000000,MAINICON), ref: 00B26E7D
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00B26EAF
                                                      • OemToCharA.USER32(?,?), ref: 00B26EC2
                                                      • CharNextA.USER32(?,00000000,?,00000100), ref: 00B26F0F
                                                      • CharLowerA.USER32(00000000,?,00000000,?,00000100), ref: 00B26F15
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Char$FileIconLoadLowerModuleNameNext
                                                      • String ID: MAINICON
                                                      • API String ID: 3256280155-2283262055
                                                      • Opcode ID: cef04b68f650bc1e975d77497eee5e3f4066bbc9b6d6f864ec1bd627ceeeb6f0
                                                      • Instruction ID: 657d50fd335135ac0ffec9e95446f2ab5edf7634ae01bdbf448f1f555de08236
                                                      • Opcode Fuzzy Hash: cef04b68f650bc1e975d77497eee5e3f4066bbc9b6d6f864ec1bd627ceeeb6f0
                                                      • Instruction Fuzzy Hash: 32516971A042988FDB40EF78D885BC97BE4AB15304F0480F5E988DF357DBB59A88CB61
                                                      Function 00B26490 Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00B264E4
                                                      • CreateFontIndirectA.GDI32(?), ref: 00B264F1
                                                      • GetStockObject.GDI32(0000000D), ref: 00B26507
                                                        • Part of subcall function 00B11B9C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00B11BA9
                                                      • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00B26530
                                                      • CreateFontIndirectA.GDI32(?), ref: 00B26540
                                                      • CreateFontIndirectA.GDI32(?), ref: 00B26559
                                                      • GetStockObject.GDI32(0000000D), ref: 00B2657F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                      • String ID:
                                                      • API String ID: 2891467149-0
                                                      • Opcode ID: b9fa66500c46e1d0ef1197dca7e95ae0a9d6c69b24a7f89a41217ebd9b850929
                                                      • Instruction ID: 2df5c8b27fe409d645d5ac6d0334e419a60fa90f5391eef45dc1ebdd6fa95822
                                                      • Opcode Fuzzy Hash: b9fa66500c46e1d0ef1197dca7e95ae0a9d6c69b24a7f89a41217ebd9b850929
                                                      • Instruction Fuzzy Hash: 0D3150346042589BE750EFA8EC82B9A37E4FB44304F8484F0BA4CDB29ADF709944C721
                                                      Function 00AF1BE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 174 af1be0-af1c03 RtlInitializeCriticalSection 175 af1c0f-af1c45 call af145c * 3 LocalAlloc 174->175 176 af1c05-af1c0a RtlEnterCriticalSection 174->176 183 af1c87-af1c9b 175->183 184 af1c47 175->184 176->175 185 af1c9d-af1ca2 RtlLeaveCriticalSection 183->185 186 af1ca7 183->186 187 af1c4c-af1c5e 184->187 185->186 187->187 188 af1c60-af1c80 187->188 188->183
                                                      APIs
                                                      • RtlInitializeCriticalSection.KERNEL32(00B495CC,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1BF7
                                                      • RtlEnterCriticalSection.KERNEL32(00B495CC,00B495CC,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1C0A
                                                      • LocalAlloc.KERNEL32(00000000,00000FF8,00B495CC,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1C34
                                                      • RtlLeaveCriticalSection.KERNEL32(00B495CC,00AF1CAF,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1CA2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                      • String ID: ,Xn$<Xn
                                                      • API String ID: 730355536-2313646270
                                                      • Opcode ID: 3390cdfa16c784578699327a7c79a9191747da1c570ee7d1d7d0bf23ae8d0d41
                                                      • Instruction ID: 487f7142314f069cb4e2cb0d74edb04eff85f66c1b65f8df5cfcb80b990f789e
                                                      • Opcode Fuzzy Hash: 3390cdfa16c784578699327a7c79a9191747da1c570ee7d1d7d0bf23ae8d0d41
                                                      • Instruction Fuzzy Hash: CA11C4B4644308EFD716EFD5CA01B3A77E4FB5A300F1044A4F200873A1CA744E41DB55
                                                      Function 6C882EE2 Relevance: 9.4, APIs: 6, Instructions: 402sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 189 6c882ee2-6c882f52 call 6c884550 call 6c8bca80 call 6c884bf0 197 6c882f58-6c882f5e 189->197 198 6c883004-6c883013 call 6c8bb033 189->198 199 6c88353a call 6c8838e0 197->199 200 6c882f64-6c882f69 197->200 210 6c883019-6c88316c call 6c8bca80 call 6c884600 198->210 211 6c883544-6c883555 call 6c8be756 In_Interface_Web 198->211 206 6c88353f Concurrency::cancel_current_task 199->206 203 6c882f6b-6c882f6d 200->203 204 6c882f6f-6c882f75 200->204 207 6c882fa9-6c882fde 203->207 208 6c882f9e-6c882fa7 call 6c8bb033 204->208 209 6c882f77-6c882f7c 204->209 206->211 213 6c882fe0-6c882ff0 call 6c8bca80 207->213 214 6c882ff2-6c882ffa 207->214 208->207 209->206 216 6c882f82-6c882f8d call 6c8bb033 209->216 229 6c88317b-6c883191 call 6c884550 210->229 230 6c88316e-6c883178 call 6c884550 210->230 220 6c882ffd 213->220 214->220 216->211 227 6c882f93-6c882f9c 216->227 220->198 227->207 235 6c883193-6c8831a4 229->235 236 6c8831e5-6c8831ee 229->236 230->229 237 6c8831ba-6c8831da call 6c8bb37c 235->237 238 6c8831a6-6c8831b4 235->238 239 6c8831f0-6c883204 236->239 240 6c883224-6c88322f 236->240 237->236 238->211 238->237 243 6c88321a-6c883221 call 6c8bb37c 239->243 244 6c883206-6c883214 239->244 241 6c883233-6c883242 GetCurrentProcessId call 6c882d30 240->241 250 6c88326a-6c883275 Sleep 241->250 251 6c883244-6c883249 241->251 243->240 244->211 244->243 250->241 253 6c883277-6c883319 call 6c8b2100 call 6c8b1cf0 call 6c8b1d40 call 6c8b9ab0 call 6c8b9ae0 call 6c8b9a60 call 6c8b1ba0 250->253 252 6c883250-6c883264 GetCurrentProcessId call 6c882d30 Sleep 251->252 259 6c883266 252->259 271 6c883320-6c8833f1 253->271 259->250 271->271 272 6c8833f7-6c88343b call 6c8b9a40 call 6c8b1bc0 call 6c8b20e0 call 6c8b1ca0 271->272 281 6c8834e8-6c8834f2 272->281 282 6c883441-6c8834b1 call 6c8b2880 call 6c8b2ca0 call 6c8b4320 call 6c8bca80 call 6c8b2830 call 6c8b2bd0 272->282 284 6c8834f4-6c88350a 281->284 285 6c883526-6c883539 call 6c8bb025 281->285 303 6c8834cb-6c8834e5 call 6c8b2c70 call 6c8b2860 282->303 304 6c8834b3-6c8834c8 call 6c8b4280 282->304 288 6c88351c-6c883523 call 6c8bb37c 284->288 289 6c88350c-6c88351a 284->289 288->285 289->211 289->288 303->281 304->303
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,00000023,00000000,00002000), ref: 6C883233
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000023,00000000,00002000), ref: 6C883250
                                                      • Sleep.KERNEL32(0000001E,?,?,?,?,?,?,?,?,?,?,?,00000023,00000000,00002000), ref: 6C88325F
                                                      • Sleep.KERNEL32(00000032,?,?,?,?,?,?,00000023,00000000,00002000), ref: 6C88326C
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6C88353F
                                                      • In_Interface_Web.ABCPDF ref: 6C883550
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CurrentProcessSleep$Concurrency::cancel_current_taskInterface_
                                                      • String ID:
                                                      • API String ID: 3554754347-0
                                                      • Opcode ID: 39ca4c6e05aa34fb8083217722a0b9bc376bd59ed748ba073fe430640c34428e
                                                      • Instruction ID: 5278a231b04af9786d5e7f5055c872902251523b08e9ad7a530508ae44ba6a41
                                                      • Opcode Fuzzy Hash: 39ca4c6e05aa34fb8083217722a0b9bc376bd59ed748ba073fe430640c34428e
                                                      • Instruction Fuzzy Hash: DDF1C5B19157419BD731CB34C944BDFB3E8AF85308F108F3EE559A7A80EB34A6488B52
                                                      Function 6C882DE0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 311 6c882de0-6c882f52 call 6c8bb7c0 CoInitializeEx call 6c8835f0 GetCurrentDirectoryW call 6c884e20 call 6c885240 * 4 call 6c884600 call 6c8bca80 call 6c884bf0 333 6c882f58-6c882f5e 311->333 334 6c883004-6c883013 call 6c8bb033 311->334 335 6c88353a call 6c8838e0 333->335 336 6c882f64-6c882f69 333->336 346 6c883019-6c88316c call 6c8bca80 call 6c884600 334->346 347 6c883544-6c883555 call 6c8be756 In_Interface_Web 334->347 342 6c88353f Concurrency::cancel_current_task 335->342 339 6c882f6b-6c882f6d 336->339 340 6c882f6f-6c882f75 336->340 343 6c882fa9-6c882fde 339->343 344 6c882f9e-6c882fa7 call 6c8bb033 340->344 345 6c882f77-6c882f7c 340->345 342->347 349 6c882fe0-6c882ff0 call 6c8bca80 343->349 350 6c882ff2-6c882ffa 343->350 344->343 345->342 352 6c882f82-6c882f8d call 6c8bb033 345->352 365 6c88317b-6c883191 call 6c884550 346->365 366 6c88316e-6c883178 call 6c884550 346->366 356 6c882ffd 349->356 350->356 352->347 363 6c882f93-6c882f9c 352->363 356->334 363->343 371 6c883193-6c8831a4 365->371 372 6c8831e5-6c8831ee 365->372 366->365 373 6c8831ba-6c8831da call 6c8bb37c 371->373 374 6c8831a6-6c8831b4 371->374 375 6c8831f0-6c883204 372->375 376 6c883224-6c88322f 372->376 373->372 374->347 374->373 379 6c88321a-6c883221 call 6c8bb37c 375->379 380 6c883206-6c883214 375->380 377 6c883233-6c883242 GetCurrentProcessId call 6c882d30 376->377 386 6c88326a-6c883275 Sleep 377->386 387 6c883244-6c883249 377->387 379->376 380->347 380->379 386->377 389 6c883277-6c883319 call 6c8b2100 call 6c8b1cf0 call 6c8b1d40 call 6c8b9ab0 call 6c8b9ae0 call 6c8b9a60 call 6c8b1ba0 386->389 388 6c883250-6c883264 GetCurrentProcessId call 6c882d30 Sleep 387->388 395 6c883266 388->395 407 6c883320-6c8833f1 389->407 395->386 407->407 408 6c8833f7-6c88343b call 6c8b9a40 call 6c8b1bc0 call 6c8b20e0 call 6c8b1ca0 407->408 417 6c8834e8-6c8834f2 408->417 418 6c883441-6c8834b1 call 6c8b2880 call 6c8b2ca0 call 6c8b4320 call 6c8bca80 call 6c8b2830 call 6c8b2bd0 408->418 420 6c8834f4-6c88350a 417->420 421 6c883526-6c883539 call 6c8bb025 417->421 439 6c8834cb-6c8834e5 call 6c8b2c70 call 6c8b2860 418->439 440 6c8834b3-6c8834c8 call 6c8b4280 418->440 424 6c88351c-6c883523 call 6c8bb37c 420->424 425 6c88350c-6c88351a 420->425 424->421 425->347 425->424 439->417 440->439
                                                      APIs
                                                      • CoInitializeEx.OLE32(00000000,00000000), ref: 6C882E04
                                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,00001000), ref: 6C882E70
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryInitialize
                                                      • String ID:
                                                      • API String ID: 3250367583-0
                                                      • Opcode ID: 99b04af65d6f4c7a792a93305054707430949b7c11374ec342b5bdb943fa1482
                                                      • Instruction ID: b8ed324f252bcf2ab3bd648aeda84985980a02d97d888e399cec8345e4333175
                                                      • Opcode Fuzzy Hash: 99b04af65d6f4c7a792a93305054707430949b7c11374ec342b5bdb943fa1482
                                                      • Instruction Fuzzy Hash: 9A814E715493809AE730CF24C945FDBB7E8BF84704F104E2EF689A6680EBB1A548CB56
                                                      Function 00B25C84 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetKeyboardLayout.USER32(00000000), ref: 00B25CC9
                                                      • 73E9A570.USER32(00000000), ref: 00B25D1E
                                                      • 73EA4620.GDI32(00000000,0000005A,00000000), ref: 00B25D28
                                                      • 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000), ref: 00B25D33
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: A4620A480A570KeyboardLayout
                                                      • String ID:
                                                      • API String ID: 3268288004-0
                                                      • Opcode ID: 2ab0fdcb329557e0bc2c4def36339ece32857a4ae19c86bfd328956b0e2bdba5
                                                      • Instruction ID: 3e1f40169c8d7efcde9f054e40b8276f0feb8fc697ae9eed94642d483a64bb46
                                                      • Opcode Fuzzy Hash: 2ab0fdcb329557e0bc2c4def36339ece32857a4ae19c86bfd328956b0e2bdba5
                                                      • Instruction Fuzzy Hash: CA3106B16102449FD740EF6CE9C5B997BE0BB16315F8480A9FA0CDF362DB7698488B60
                                                      Function 6C882AE0 Relevance: 4.8, APIs: 3, Instructions: 270threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 478 6c882ae0-6c882b70 call 6c882a20 481 6c882b72-6c882b8a GetWindowThreadProcessId 478->481 482 6c882bb6-6c882bb8 478->482 485 6c882bac-6c882bb1 481->485 486 6c882b8c-6c882b8f 481->486 483 6c882bba-6c882bca 482->483 484 6c882be6-6c882c03 call 6c8bb025 482->484 488 6c882bdc-6c882be3 call 6c8bb37c 483->488 489 6c882bcc-6c882bda 483->489 485->481 487 6c882bb3 485->487 486->485 491 6c882b91-6c882b97 486->491 487->482 488->484 489->488 492 6c882c04-6c882ca0 call 6c8be756 call 6c882ae0 489->492 495 6c882b99-6c882ba1 491->495 496 6c882ba3-6c882ba7 call 6c883780 491->496 504 6c882ca2 492->504 505 6c882cd6-6c882cd8 492->505 495->485 496->485 506 6c882ca8-6c882cae IsWindowVisible 504->506 507 6c882cda-6c882cea 505->507 508 6c882d06-6c882d23 call 6c8bb025 505->508 509 6c882ccb-6c882cd1 506->509 510 6c882cb0-6c882cb6 506->510 511 6c882cfc-6c882d03 call 6c8bb37c 507->511 512 6c882cec-6c882cfa 507->512 509->506 517 6c882cd3 509->517 515 6c882cb8-6c882cc0 510->515 516 6c882cc2-6c882cc6 call 6c883780 510->516 511->508 512->511 518 6c882d24-6c882d68 call 6c8be756 call 6c882c10 512->518 515->509 516->509 517->505 527 6c882d6a-6c882d6b 518->527 528 6c882d90-6c882d92 518->528 529 6c882d71-6c882d8a ShowWindow 527->529 530 6c882dc0-6c882dd1 call 6c8bb025 528->530 531 6c882d94-6c882da4 528->531 529->529 533 6c882d8c-6c882d8f 529->533 534 6c882db6-6c882dbd call 6c8bb37c 531->534 535 6c882da6-6c882db4 531->535 533->528 534->530 535->534 537 6c882dd2-6c882dd7 call 6c8be756 535->537
                                                      APIs
                                                        • Part of subcall function 6C882A20: GetDesktopWindow.USER32 ref: 6C882A84
                                                        • Part of subcall function 6C882A20: GetTopWindow.USER32(00000000), ref: 6C882A8B
                                                        • Part of subcall function 6C882A20: GetWindow.USER32(00000000,00000002), ref: 6C882ABF
                                                      • GetWindowThreadProcessId.USER32(6C8ED4B6,6C882C8E), ref: 6C882B7F
                                                      • IsWindowVisible.USER32(?), ref: 6C882CAA
                                                      • ShowWindow.USER32(?,00000000,?,00000000,000000FF), ref: 6C882D75
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Window$DesktopProcessShowThreadVisible
                                                      • String ID:
                                                      • API String ID: 2112749491-0
                                                      • Opcode ID: 2d36cf237188ba7dcb1acf29a07fff5ad8d99672bad9c00c67d00f3cdb53c5c4
                                                      • Instruction ID: 1fbed7bf2b87ae335f0aa877a7bc94770a2253ee8f155d7eb7481bcaea225733
                                                      • Opcode Fuzzy Hash: 2d36cf237188ba7dcb1acf29a07fff5ad8d99672bad9c00c67d00f3cdb53c5c4
                                                      • Instruction Fuzzy Hash: 8B91A271D025199BDB20CFA8CA847EEF7B4FF49328F200619E815B7B80D7796944CB94
                                                      Function 6C882A20 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 542 6c882a20-6c882a9c GetDesktopWindow GetTopWindow 543 6c882aa0-6c882aa6 542->543 544 6c882aa8-6c882aae 543->544 545 6c882ab0-6c882ab7 call 6c883780 543->545 546 6c882abc-6c882ac8 GetWindow 544->546 545->546 546->543 548 6c882aca-6c882add 546->548
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 6C882A84
                                                      • GetTopWindow.USER32(00000000), ref: 6C882A8B
                                                      • GetWindow.USER32(00000000,00000002), ref: 6C882ABF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Window$Desktop
                                                      • String ID:
                                                      • API String ID: 2849500299-0
                                                      • Opcode ID: c67a007ed031bf3d353e4e08318a29928c5e78c1aeb4988f5277d997dd5db294
                                                      • Instruction ID: dfb77cafb331c5557740033371d5d074df556ec878b239279138c5d44c355a27
                                                      • Opcode Fuzzy Hash: c67a007ed031bf3d353e4e08318a29928c5e78c1aeb4988f5277d997dd5db294
                                                      • Instruction Fuzzy Hash: 37216D719017099FC721CF59D988B6BBBF8FF89714F108A2EE45593B40D779A904CB90
                                                      Function 00AF1640 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 549 af1640-af164d 550 af164f-af1654 549->550 551 af1656-af165c 549->551 552 af1662-af167a VirtualAlloc 550->552 551->552 553 af169f-af16a2 552->553 554 af167c-af168a call af1464 552->554 554->553 557 af168c-af169d VirtualFree 554->557 557->553
                                                      APIs
                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00AF19D3), ref: 00AF166F
                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00AF19D3), ref: 00AF1696
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Virtual$AllocFree
                                                      • String ID: <Xn
                                                      • API String ID: 2087232378-173563621
                                                      • Opcode ID: 65b766c2cc0406b7c42621392eea1afd01b4b80923b8c3c9759b1fa891415073
                                                      • Instruction ID: 74c2809d4fd562948447777dd8538baec31be0e5024349e239c9eddd92a5aa96
                                                      • Opcode Fuzzy Hash: 65b766c2cc0406b7c42621392eea1afd01b4b80923b8c3c9759b1fa891415073
                                                      • Instruction Fuzzy Hash: 7FF027B2B0032497DBA05AE94D81B726AD59F95790F1901B1FB0CEF3C9E2618C0043A0
                                                      Function 00AF3F9C Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 558 af3f9c-af3fe0 559 af3fe4-af4016 call af3e74 558->559 560 af3fe2 558->560 563 af401f-af4026 559->563 564 af4018-af401a 559->564 560->559 566 af4028-af402b 563->566 567 af4030-af4036 563->567 564->563 565 af401c 564->565 565->563 566->567 568 af403b-af4042 567->568 569 af4038 567->569 570 af4044-af404b 568->570 571 af4051-af4055 568->571 569->568 570->571 572 af41ec-af41ff 571->572 573 af405b call af3f2c 571->573 574 af4217-af421e 572->574 575 af4201-af4204 572->575 580 af4060 573->580 578 af4231-af4235 574->578 579 af4220-af422c call af40d4 call af4160 574->579 575->574 577 af4206-af4215 575->577 577->574 582 af4237-af423e 578->582 583 af4245-af424e call af3ebc 578->583 579->578 582->583 586 af4240-af4242 582->586 590 af4259-af425e 583->590 591 af4250-af4257 583->591 586->583 593 af427c-af4285 call af3e94 590->593 594 af4260-af4270 call af5c00 590->594 591->590 591->593 600 af428a-af428e 593->600 601 af4287 593->601 594->593 599 af4272-af4274 594->599 599->593 602 af4276-af4277 FreeLibrary 599->602 603 af4295-af4298 600->603 604 af4290 call af4130 600->604 601->600 602->593 605 af429a-af42a1 603->605 606 af42b4-af42c1 603->606 604->603 608 af42a9-af42af ExitProcess 605->608 609 af42a3 605->609 606->578 609->608
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: de881168ddca122460e143f6ef9e56d290b8e0f75516314c2965ad7cc6a9f4ac
                                                      • Instruction ID: 539a4b417454b66b3cc8852c2bab682d3582d266ffddf468329e020675b40804
                                                      • Opcode Fuzzy Hash: de881168ddca122460e143f6ef9e56d290b8e0f75516314c2965ad7cc6a9f4ac
                                                      • Instruction Fuzzy Hash: BD416D798052488FDB25DFE8D8847BB7BE0BB4A320F154569FA4887262CB348E84CB55
                                                      Function 00AF243C Relevance: 3.1, APIs: 2, Instructions: 125COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 610 af243c-af244c 611 af244e call af1be0 610->611 612 af2457-af245d 610->612 616 af2453-af2455 611->616 614 af245f-af2464 612->614 615 af2469-af247e 612->615 617 af25df-af25e6 614->617 618 af248a-af2493 615->618 619 af2480-af2485 RtlEnterCriticalSection 615->619 616->612 616->614 620 af249a-af24a0 618->620 621 af2495 618->621 619->618 622 af24a6-af24aa 620->622 623 af2552-af2558 620->623 621->620 626 af24af-af24c3 622->626 627 af24ac 622->627 624 af25ad-af25cb call af22f4 623->624 625 af255a-af2567 623->625 638 af25cd-af25d2 RtlLeaveCriticalSection 624->638 639 af25d7 624->639 628 af2569-af2571 625->628 629 af2576-af25ab call af3d1c 625->629 626->623 631 af24c9-af24e6 626->631 627->626 628->629 629->617 632 af24e8-af24f4 631->632 633 af24f6-af251a 631->633 636 af251c-af254d call af3d1c 632->636 633->636 636->617 638->639
                                                      APIs
                                                        • Part of subcall function 00AF1BE0: RtlInitializeCriticalSection.KERNEL32(00B495CC,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1BF7
                                                        • Part of subcall function 00AF1BE0: RtlEnterCriticalSection.KERNEL32(00B495CC,00B495CC,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1C0A
                                                        • Part of subcall function 00AF1BE0: LocalAlloc.KERNEL32(00000000,00000FF8,00B495CC,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1C34
                                                        • Part of subcall function 00AF1BE0: RtlLeaveCriticalSection.KERNEL32(00B495CC,00AF1CAF,00000000,00AF1CA8,?,?,?,00AF2606), ref: 00AF1CA2
                                                      • RtlEnterCriticalSection.KERNEL32(00B495CC,00000000,00AF25D8), ref: 00AF2485
                                                      • RtlLeaveCriticalSection.KERNEL32(00B495CC,00AF25DF), ref: 00AF25D2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                      • String ID:
                                                      • API String ID: 2227675388-0
                                                      • Opcode ID: c6307b6399c0245afa7181fb0cef072f72882667d2ff7f72a3564ac802ec4a81
                                                      • Instruction ID: 0d501239271e414c4cfa14ea055515be1b7ec947f3688596aa29b3af38dd2343
                                                      • Opcode Fuzzy Hash: c6307b6399c0245afa7181fb0cef072f72882667d2ff7f72a3564ac802ec4a81
                                                      • Instruction Fuzzy Hash: F8516CB4A00309DFDB10DFA8D98167EB7F0FB49310F218269E914A7351DB349A81CF51
                                                      Function 00B26040 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 642 b26040-b2605a LoadCursorA 643 b2605f-b26062 642->643 644 b26064-b26067 643->644 645 b26069-b2606c 643->645 644->645 646 b2606e-b26074 644->646 645->646 647 b26076 645->647 648 b26078-b26093 LoadCursorA call b26114 646->648 647->648 648->643 651 b26095-b26099 648->651
                                                      APIs
                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00B2604D
                                                      • LoadCursorA.USER32(00000000,00000000), ref: 00B2607C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CursorLoad
                                                      • String ID:
                                                      • API String ID: 3238433803-0
                                                      • Opcode ID: ac37e523e20486d800f19c13fedce4cf7b25036b00bdc230b3ac6a6e489a1768
                                                      • Instruction ID: f619c06b772c2fea47654a3302708544ce0ff4488118e941ee7b0aa892421718
                                                      • Opcode Fuzzy Hash: ac37e523e20486d800f19c13fedce4cf7b25036b00bdc230b3ac6a6e489a1768
                                                      • Instruction Fuzzy Hash: 84F08C31B046681B9620167D6CD1A7B73D8DB96330B2003B6FA3ED76E2CA666C41A661
                                                      Function 6C8C3A7D Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,6C8C8B07,?,00000000,?,?,6C8C8B2C,?,00000007,?,?,6C8C87F4,?,?), ref: 6C8C3A93
                                                      • GetLastError.KERNEL32(?,?,6C8C8B07,?,00000000,?,?,6C8C8B2C,?,00000007,?,?,6C8C87F4,?,?), ref: 6C8C3A9E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 485612231-0
                                                      • Opcode ID: f9e1eb02638373ba87e6d26e17c418a7ba7a3a838ada95ef8a8aa5fc27160b94
                                                      • Instruction ID: 3431fbb042600f7f5a07a126a71911d72f3e4ef153a417b22f2c11e54514d9a7
                                                      • Opcode Fuzzy Hash: f9e1eb02638373ba87e6d26e17c418a7ba7a3a838ada95ef8a8aa5fc27160b94
                                                      • Instruction Fuzzy Hash: 32E08631304A04BBCB311FB5AA0CBC53B78EB4535DF104430FA089B550D734C855C791
                                                      Function 6C8835F0 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6C88376C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 118556049-0
                                                      • Opcode ID: bc9abbc6abc06696e52df63a07e38c6e47e031144c7c0eb451611edfdd8975ad
                                                      • Instruction ID: bb494fbe3a6a9b0e411ee4725ed1f2c4ad40a4335ed01e198ec3c10ef665ea9b
                                                      • Opcode Fuzzy Hash: bc9abbc6abc06696e52df63a07e38c6e47e031144c7c0eb451611edfdd8975ad
                                                      • Instruction Fuzzy Hash: 3C41E471B0121A9BCB24DFBCCAD099EB3E5BF483147144A79E811D7B45E730EE148B90
                                                      Function 6C883780 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6C8838C7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 118556049-0
                                                      • Opcode ID: bf60bb9bf7282af117b2ead31447b96ec6995998c8252a99398ec738d6955be7
                                                      • Instruction ID: 1547613c467d649db6019a7182f2ef042a9f77f3d8d36f12f115edab90b9808c
                                                      • Opcode Fuzzy Hash: bf60bb9bf7282af117b2ead31447b96ec6995998c8252a99398ec738d6955be7
                                                      • Instruction Fuzzy Hash: 924124B1A015159FD728CF6CCA809AEB7A4EF883147548B39E815D3F80E730EE45C790
                                                      Function 6C882C10 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 6C882AE0: GetWindowThreadProcessId.USER32(6C8ED4B6,6C882C8E), ref: 6C882B7F
                                                      • IsWindowVisible.USER32(?), ref: 6C882CAA
                                                      • ShowWindow.USER32(?,00000000,?,00000000,000000FF), ref: 6C882D75
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Window$ProcessShowThreadVisible
                                                      • String ID:
                                                      • API String ID: 2688220658-0
                                                      • Opcode ID: 4ad71182a021d033c36a6ec6e16c35567af734422e5c95295c39c3035837b0e4
                                                      • Instruction ID: c0b15d0efbae019eafe3ed1292ef226e0b24d50805a6c65a2f477c4bb3fd6c23
                                                      • Opcode Fuzzy Hash: 4ad71182a021d033c36a6ec6e16c35567af734422e5c95295c39c3035837b0e4
                                                      • Instruction Fuzzy Hash: AD3181B1D016199BDB10CF98CA847AEFBB0FF49324F104619D811A7B80D7796944CBA4
                                                      Function 6C882D30 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 6C882C10: IsWindowVisible.USER32(?), ref: 6C882CAA
                                                      • ShowWindow.USER32(?,00000000,?,00000000,000000FF), ref: 6C882D75
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Window$ShowVisible
                                                      • String ID:
                                                      • API String ID: 4185057100-0
                                                      • Opcode ID: d5998373b8b36516933dc66193e17a4a7cab60de38c68ff55d0fc61b63e6dd55
                                                      • Instruction ID: 2db8e5cd95404029f43f2d4451ce7474215a0da6f5643aa9d6b1b6412a8527cf
                                                      • Opcode Fuzzy Hash: d5998373b8b36516933dc66193e17a4a7cab60de38c68ff55d0fc61b63e6dd55
                                                      • Instruction Fuzzy Hash: D711C432E021289BCB10DE78DD947FEB7B4AF09325F150769E851B7B80D739AD448694
                                                      Function 6C8BB033 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 6C88289E
                                                        • Part of subcall function 6C8BCBDA: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6C8BB024,?,6C91F7EC,?), ref: 6C8BCC3B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise___std_exception_copy
                                                      • String ID:
                                                      • API String ID: 3109751735-0
                                                      • Opcode ID: 429c88a20440c29e73ee487ac082b6cdd2e97704be4dc56bfac8d25158ad83eb
                                                      • Instruction ID: 90a3ac6160daedaf6d30c2c1e2295417dd6d605dcb1dcfe2127d4f0e8dd5a664
                                                      • Opcode Fuzzy Hash: 429c88a20440c29e73ee487ac082b6cdd2e97704be4dc56bfac8d25158ad83eb
                                                      • Instruction Fuzzy Hash: B101043680030C77CB34AEECDD858DA77AC9B01628B504D31AA24B6F50EB30E54C82D5
                                                      Function 6C8C3AB7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,6C8BB016,?,?,6C8BC2F0,?,?,?,?,?,6C8BAF7A,6C8BB016,?,?,?,?), ref: 6C8C3AE9
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 87a66c5beea5f111bdeeadfe91f65362dd973969cf58b30b05920208fee075b9
                                                      • Instruction ID: e1f7b766066891d8ae630dd76003081ba207dbb6faed7637dc6b023e8c728dbf
                                                      • Opcode Fuzzy Hash: 87a66c5beea5f111bdeeadfe91f65362dd973969cf58b30b05920208fee075b9
                                                      • Instruction Fuzzy Hash: 10E0E531351E256BE7309B6B9E04BCB365C9F462B8F114930EC1097980DB60CC2282E3
                                                      Function 00AF55C4 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00AF0000,?,00000105), ref: 00AF55E2
                                                        • Part of subcall function 00AF5858: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00B470A4), ref: 00AF5873
                                                        • Part of subcall function 00AF5858: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00B470A4), ref: 00AF5891
                                                        • Part of subcall function 00AF5858: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00B470A4), ref: 00AF58AF
                                                        • Part of subcall function 00AF5858: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00AF58CD
                                                        • Part of subcall function 00AF5858: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00AF595C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00AF5916
                                                        • Part of subcall function 00AF5858: RegQueryValueExA.ADVAPI32(?,00AF5AD8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00AF595C,?,80000001), ref: 00AF5934
                                                        • Part of subcall function 00AF5858: RegCloseKey.ADVAPI32(?,00AF5963,00000000,?,?,00000000,00AF595C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00AF5956
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Open$FileModuleNameQueryValue$Close
                                                      • String ID:
                                                      • API String ID: 2796650324-0
                                                      • Opcode ID: 2b51127376f963e1f92ddf71d9fdd713ecbcb36da634af5b8f0ca24f7d2badbb
                                                      • Instruction ID: c279ae3fc45b20c056fbc03ef7067e9d12c59df8b5712ee4b5e3dc089c012c71
                                                      • Opcode Fuzzy Hash: 2b51127376f963e1f92ddf71d9fdd713ecbcb36da634af5b8f0ca24f7d2badbb
                                                      • Instruction Fuzzy Hash: 5CE06D71A006188BCB10DFEC89C1A9633D8AF08764F000961BE68CF24AD370DD108BD0
                                                      Function 6C883560 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,00000000,6C883550,00000000,00000000,00000000), ref: 6C883578
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: a227800c27246216d9249d2b791d67dc13bc460ea4b0be8c58f94763d918c752
                                                      • Instruction ID: d91da2938cf04532db09422ba618426a246c5af0c02d9ea80b4aa20eb66de3bd
                                                      • Opcode Fuzzy Hash: a227800c27246216d9249d2b791d67dc13bc460ea4b0be8c58f94763d918c752
                                                      • Instruction Fuzzy Hash: 18D08C343C4308B3F2300AA65E0BF1433684B11F24F208810F7043FEC041E1BE408A5D
                                                      Function 00B0DCD0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00B0DCEE
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: ef21373a2c931d1885005fc48c5aee924c8a5424a2c91551018fd20b450fb3a3
                                                      • Instruction ID: 950aa100d99dbcc83d01d0abf8c9d75d534d5b9c78d6678f5f2f1d91433ba861
                                                      • Opcode Fuzzy Hash: ef21373a2c931d1885005fc48c5aee924c8a5424a2c91551018fd20b450fb3a3
                                                      • Instruction Fuzzy Hash: 9D115A752403099BD720DF58C880B96FBE4EF89390F10C57AEA588B385D770E905CBA0

                                                      Non-executed Functions

                                                      Function 6C8A8CB0 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 832COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8A8F43
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: SvTq$SvTq
                                                      • API String ID: 885266447-2489124442
                                                      • Opcode ID: 1936118aae131bd6d8a854a5561597b5f895e5642b113f0a4fd53aa4f0a3daaa
                                                      • Instruction ID: b1b308445ee1a2b1fe698b5bb7243bca181cde83e4c95e8b3420b9582128e980
                                                      • Opcode Fuzzy Hash: 1936118aae131bd6d8a854a5561597b5f895e5642b113f0a4fd53aa4f0a3daaa
                                                      • Instruction Fuzzy Hash: 6D724371A083528FC324CF69C58064AF7E1BFD9344F054E2EE9A59B790D771E94ACB82
                                                      Function 6C8BBC68 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6C8BBC74
                                                      • IsDebuggerPresent.KERNEL32 ref: 6C8BBD40
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C8BBD59
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 6C8BBD63
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                      • String ID:
                                                      • API String ID: 254469556-0
                                                      • Opcode ID: d237fd32da80431c3bccde7ecce9a4018e511cb3efcb95230f626fa9e24a3e54
                                                      • Instruction ID: bc72c6cbae60692c36ede16e8197a31c4b3e6a6caa61e770b3873b31fa7c2076
                                                      • Opcode Fuzzy Hash: d237fd32da80431c3bccde7ecce9a4018e511cb3efcb95230f626fa9e24a3e54
                                                      • Instruction Fuzzy Hash: 1D31E9B5D05218DBDF21DF65D9897CDBBB8AF08304F1041EAE40DAB250E7749A84CF85
                                                      Function 6C8BBDE3 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6C8BBDF5
                                                      • GetCurrentThreadId.KERNEL32 ref: 6C8BBE04
                                                      • GetCurrentProcessId.KERNEL32 ref: 6C8BBE0D
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 6C8BBE1A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 2933794660-0
                                                      • Opcode ID: 954b3faf7ef37d779319c83564f2e40dbc88f00d6c26b6b6c539c7b9ba6c7732
                                                      • Instruction ID: f39b144e15607d23b22543abad0dae11ab80f4e73c5525a38308fe34b5f74d56
                                                      • Opcode Fuzzy Hash: 954b3faf7ef37d779319c83564f2e40dbc88f00d6c26b6b6c539c7b9ba6c7732
                                                      • Instruction Fuzzy Hash: 41F05F74D1020DEBCF50DBB4D64999EBBF4EF2D204B9189A5A412E6100E734AB44DB90
                                                      Function 6C8B9DA0 Relevance: 4.0, Strings: 2, Instructions: 1501COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $@
                                                      • API String ID: 0-1077428164
                                                      • Opcode ID: d095a087586ed19df8e0063e34350f63c656d0ac901a3947138acc530e898ffb
                                                      • Instruction ID: 7c0980d4d387a53506123ecd63cbcc53b291543150d3a4e193722d3594f7a47d
                                                      • Opcode Fuzzy Hash: d095a087586ed19df8e0063e34350f63c656d0ac901a3947138acc530e898ffb
                                                      • Instruction Fuzzy Hash: B8C23F72B083108BD75CCE19D86156BF7E3ABC8314F09892EF89AD3345DA74DC568B86
                                                      Function 00B440E8 Relevance: 3.3, APIs: 2, Instructions: 251comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(00B47434,00000000,00000007,00B47454,00000000,00000000,00B44430), ref: 00B44354
                                                      • CoCreateInstance.OLE32(00B47444,00000000,00000007,00B47474,00000000,00B47434,00000000,00000007,00B47454,00000000,00000000,00B44430), ref: 00B443A4
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CreateInstance
                                                      • String ID:
                                                      • API String ID: 542301482-0
                                                      • Opcode ID: d2c9e89d64e471c577c95b0bf93f3b6ca6d43f27005f81dfda161864fc3c93bd
                                                      • Instruction ID: 9d71d7a0685d77b6140fe12ff950cca9b9f249c2c2100e6bd2b8712d46e39ecc
                                                      • Opcode Fuzzy Hash: d2c9e89d64e471c577c95b0bf93f3b6ca6d43f27005f81dfda161864fc3c93bd
                                                      • Instruction Fuzzy Hash: 67B1F375A00608AFDB50DFA8C985BAAB7F9FF09305F5441E5E508EB262DB30AE44DF11
                                                      Function 6C8D1C20 Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • .././../src/v6.3.0-036e54f1a3.clean/mpz/pprime_p.c, xrefs: 6C8D1EB8
                                                      • __gmpn_mod_1 (((n)->_mp_d), (mp_size_t) ((n)->_mp_size), (mp_limb_t) primes[nprimes]) == 0, xrefs: 6C8D1EAE
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .././../src/v6.3.0-036e54f1a3.clean/mpz/pprime_p.c$__gmpn_mod_1 (((n)->_mp_d), (mp_size_t) ((n)->_mp_size), (mp_limb_t) primes[nprimes]) == 0
                                                      • API String ID: 0-2966990738
                                                      • Opcode ID: cfd17f8d7d327fec0cede7d5c44eb17ea3d259caf6fa81550ffc8853d67fbf7a
                                                      • Instruction ID: 9241332d3cf1508d4389293e7c821affa9103d7dd263e6d980d4c60df7fdb461
                                                      • Opcode Fuzzy Hash: cfd17f8d7d327fec0cede7d5c44eb17ea3d259caf6fa81550ffc8853d67fbf7a
                                                      • Instruction Fuzzy Hash: C76146717001065BDB289F7C9F4257E76DA9FC4758F424D39E84ACAB80EB20F91887D2
                                                      Function 6C89EDE0 Relevance: 2.0, Strings: 1, Instructions: 789COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: VUUU
                                                      • API String ID: 0-2040033107
                                                      • Opcode ID: 2604000cd0004c16fdb9ceac9a95627f5af079a80199fed19584c436e00a20a2
                                                      • Instruction ID: fc996760de3436d031a61ec9be81dd12ccdd5afa78835d6184a566f9c852aaad
                                                      • Opcode Fuzzy Hash: 2604000cd0004c16fdb9ceac9a95627f5af079a80199fed19584c436e00a20a2
                                                      • Instruction Fuzzy Hash: 0B62FF756093458FC328DF2DC580A5AFBE0BBD9308F444E2EF99997750E770E9498B82
                                                      Function 6C8A6CC0 Relevance: 2.0, Strings: 1, Instructions: 705COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: SvTq
                                                      • API String ID: 0-1364570696
                                                      • Opcode ID: cf04ec993b973b82635e86b3f3483075bf4f148e75deec9b584add79634cf65d
                                                      • Instruction ID: 9ec7852df33a67dfb30db024884043864e6e4c4e41478662c78309c64fceed4e
                                                      • Opcode Fuzzy Hash: cf04ec993b973b82635e86b3f3483075bf4f148e75deec9b584add79634cf65d
                                                      • Instruction Fuzzy Hash: 065241716083458FD328CF5DC98075ABBE1FBC8704F444A2DE9998B781DB75E90ACB82
                                                      Function 6C8A5C00 Relevance: 1.9, Strings: 1, Instructions: 666COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3
                                                      • API String ID: 0-1842515611
                                                      • Opcode ID: 3d801ced321bc1ffe709cbc5afb1237966166e890358fae12e5b08e93e965640
                                                      • Instruction ID: dc394fabd3b46d36a46de6c921d5fe8b4359a63d5a6dce203b47745fbae2f793
                                                      • Opcode Fuzzy Hash: 3d801ced321bc1ffe709cbc5afb1237966166e890358fae12e5b08e93e965640
                                                      • Instruction Fuzzy Hash: 5562FE71A087428FC324CF18C580A5AFBE1BFC8708F558A6DE99997715D770E94ACF82
                                                      Function 6C8A9C30 Relevance: 1.8, Strings: 1, Instructions: 600COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: SvTq
                                                      • API String ID: 0-1364570696
                                                      • Opcode ID: cf058576d9bc9576b5f014c92dd2659eea84f64bddf14d1d409b067a24d2ba3f
                                                      • Instruction ID: 1f2b35f19b60cb12500f1a3dd5ae3c810eaeeba1c6d00a3eb57c18ec09a949a4
                                                      • Opcode Fuzzy Hash: cf058576d9bc9576b5f014c92dd2659eea84f64bddf14d1d409b067a24d2ba3f
                                                      • Instruction Fuzzy Hash: 1A325A716083469FC724CF68C980A9BB7E5FFC9304F144E2EE59997610E731E94ACB92
                                                      Function 00AF61BC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00AF6222), ref: 00AF61E2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: 8840fc92cd4f552192d9553d398fe8154e67565b36fac0150d4000038845c7f3
                                                      • Instruction ID: cbf2f988a2c1ebf6939a723c4bb40d44b1f433804cb56860d5263e1d333497f6
                                                      • Opcode Fuzzy Hash: 8840fc92cd4f552192d9553d398fe8154e67565b36fac0150d4000038845c7f3
                                                      • Instruction Fuzzy Hash: 08F04F30E0420DAFEB15EEE5CD42AFEB77AFB89710F408975B21096590E7B42A44C694
                                                      Function 6C8A4EB0 Relevance: .8, Instructions: 813COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d9599cec7d9f4b913050ac1edeaead7312e031f049a4175d95f1c5c54462243
                                                      • Instruction ID: 9e4f0ccf70aeb4e54338d823645801b6c9adcfdd4b430b15d8fefe5f5a043fe1
                                                      • Opcode Fuzzy Hash: 5d9599cec7d9f4b913050ac1edeaead7312e031f049a4175d95f1c5c54462243
                                                      • Instruction Fuzzy Hash: 60624471A087459FC724CF68C980A5BBBE5FFC9308F044A2DE98997711D731E94ACB92
                                                      Function 6C8B4D30 Relevance: .6, Instructions: 650COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ae72de72c95ac2a84dc111f354ad7d2a2a009d1e89e4579436794fcc69f45df
                                                      • Instruction ID: 7ca9a30ca05d6c8b0a61f306ce60e40424277aebf1ad63ecc2287576215cef59
                                                      • Opcode Fuzzy Hash: 4ae72de72c95ac2a84dc111f354ad7d2a2a009d1e89e4579436794fcc69f45df
                                                      • Instruction Fuzzy Hash: 9C7262B5A48B448FD354CF2AC585A4AFBE2FFD8704F248A2DE59987764D331E8418F42
                                                      Function 6C88CCD0 Relevance: .6, Instructions: 623COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bff860c3a023e3812474067f976ccfd296e62bfc81306399aa399fdc1aa28d
                                                      • Instruction ID: 53f78a725faaf31b492129bfb84fc8bb4166950280d7f2a78a47edfb3272b850
                                                      • Opcode Fuzzy Hash: a4bff860c3a023e3812474067f976ccfd296e62bfc81306399aa399fdc1aa28d
                                                      • Instruction Fuzzy Hash: DE22F1716063069FE7309F29CA80B66B7E5EF85708F544E2EE886C7E45E334E5488B91
                                                      Function 6C89ACD0 Relevance: .5, Instructions: 457COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a90f2afa88ac95b9966176619f375e8693a31fd1a077eee55b740097d5d15bf
                                                      • Instruction ID: 03b395dcfa13be3c7e403053555c6601495f25b23e64df44399e83f927347a47
                                                      • Opcode Fuzzy Hash: 4a90f2afa88ac95b9966176619f375e8693a31fd1a077eee55b740097d5d15bf
                                                      • Instruction Fuzzy Hash: DDE19F327156268BCB24CF2DD88017BB3E6FEC93167098A3AE945D7254FB39D655C380
                                                      Function 6C8AED80 Relevance: .4, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2e8fae780ef6d909120ba81b3a22a8206c2b60666ca6f0aed5938e20160ef453
                                                      • Instruction ID: 8ccf9bfd875aca3fa1a3a929066077199d88239c968c4db55afd42f49c1bb287
                                                      • Opcode Fuzzy Hash: 2e8fae780ef6d909120ba81b3a22a8206c2b60666ca6f0aed5938e20160ef453
                                                      • Instruction Fuzzy Hash: E4C1D3F3A042006BE3349798CD93FFBB3D4AB94344F844E29E05695BC0FB79A6594786
                                                      Function 6C8B7E80 Relevance: .2, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5886400945f62e640b7aca601df0ed852ab5771437386ac562598905bb08fdf2
                                                      • Instruction ID: 9db934d4c68ec2b0c44c26c27d4fb3b1929c4b8ad818ad4b726df0c1ad14a7e8
                                                      • Opcode Fuzzy Hash: 5886400945f62e640b7aca601df0ed852ab5771437386ac562598905bb08fdf2
                                                      • Instruction Fuzzy Hash: B8C1ACB5A083468FD308CF19D581A1AFBE2FF98304F18492EF49997751D331E949CB96
                                                      Function 6C8DDDA0 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 06beb75dbb4b45a234c34b4d7b5d475ac3b88f36d54ab3333beea7c8e6a0840e
                                                      • Instruction ID: cab87267b061475cd8692a843481c2a51ad036a5ad7a41577ca3c4203fa71237
                                                      • Opcode Fuzzy Hash: 06beb75dbb4b45a234c34b4d7b5d475ac3b88f36d54ab3333beea7c8e6a0840e
                                                      • Instruction Fuzzy Hash: A5516E7370421A4B872CDD6DCD5026EB3D2ABC4309F1A8B3EE892D7B85D934E8098791
                                                      Function 6C8CED20 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenEventA.KERNEL32(00100002,00000000,00000000,449EB355), ref: 6C8CEDC5
                                                      • CloseHandle.KERNEL32(00000000), ref: 6C8CEDDA
                                                      • ResetEvent.KERNEL32(00000000,449EB355), ref: 6C8CEDE4
                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 6C8CEE31
                                                      • CloseHandle.KERNEL32(00000000), ref: 6C8CEE46
                                                      • SetEvent.KERNEL32(00000000), ref: 6C8CEE55
                                                      • CloseHandle.KERNEL32(00000000,449EB355), ref: 6C8CEE68
                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,449EB355), ref: 6C8CEEBF
                                                      • CloseHandle.KERNEL32(00000000), ref: 6C8CEED4
                                                      • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,449EB355), ref: 6C8CEEE6
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Event$CloseHandle$Create$ObjectOpenResetSingleWait
                                                      • String ID:
                                                      • API String ID: 3951656645-0
                                                      • Opcode ID: 78907af16882ba30784c4dd1d173687ee0623176595aef9ac9042bd29717dbec
                                                      • Instruction ID: e59c6b06e0e89b064f216d155d5b2915d5ea5e5b7f6b0e005b6acfe9f0f23333
                                                      • Opcode Fuzzy Hash: 78907af16882ba30784c4dd1d173687ee0623176595aef9ac9042bd29717dbec
                                                      • Instruction Fuzzy Hash: 43517F71E0535CABDF21CBE9C945B9EB7B8AF09719F104619E828AB680D730D905CBD2
                                                      Function 00B36184 Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00B361BD
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00B361D7
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00B36205
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00B3621B
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00B36253
                                                      • MulDiv.KERNEL32(?,?,?), ref: 00B3626B
                                                      • MulDiv.KERNEL32(?,?,0000001F), ref: 00B362B5
                                                      • MulDiv.KERNEL32(?,?,0000001F), ref: 00B362DE
                                                      • MulDiv.KERNEL32(00000000,?,0000001F), ref: 00B36304
                                                        • Part of subcall function 00B11B9C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00B11BA9
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dfacf1816af764f46010077fa48923bf8848788164ee88afd2da78d09301ae16
                                                      • Instruction ID: ede6cce74a7afc734105cc016242e3c2b7b4a6a1faa945c64c00cbf90333e66e
                                                      • Opcode Fuzzy Hash: dfacf1816af764f46010077fa48923bf8848788164ee88afd2da78d09301ae16
                                                      • Instruction Fuzzy Hash: DB510871608740BFC320EBA9C985B6BBBE9AF49740F248C5DF9D6C7352C635E8448B60
                                                      Function 6C8BCCE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 6C8BCD17
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 6C8BCD1F
                                                      • _ValidateLocalCookies.LIBCMT ref: 6C8BCDA8
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 6C8BCDD3
                                                      • _ValidateLocalCookies.LIBCMT ref: 6C8BCE28
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 1170836740-1018135373
                                                      • Opcode ID: 4dbf197999cd6eff70da2cc5dbc361ab2caa2e43a3a491e0d0fe1e3500a246b9
                                                      • Instruction ID: 16aa4e00de601e14ef45b502f1522438f361279218b98a2dcc3bbee5f3e234fa
                                                      • Opcode Fuzzy Hash: 4dbf197999cd6eff70da2cc5dbc361ab2caa2e43a3a491e0d0fe1e3500a246b9
                                                      • Instruction Fuzzy Hash: 6C41B434A00219ABCF20DF6DC980ADEBFB5EF45318F148966E824BB756D731E915CB90
                                                      Function 6C8C3C03 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(00000000,?,6C8C3D12,?,?,00000000,6C8BB016,?,?,6C8C3E8B,00000022,FlsSetValue,6C9182F8,6C918300,6C8BB016), ref: 6C8C3CC4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3530657977.000000006C881000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C880000, based on PE: true
                                                      • Associated: 00000003.00000002.3530606842.000000006C880000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531323634.000000006C8EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531674787.000000006C921000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000003.00000002.3531785216.000000006C923000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6c880000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID: api-ms-$ext-ms-
                                                      • API String ID: 3664257935-537541572
                                                      • Opcode ID: 5c11510621d2ede501de6ad73d9cc51af402ab575cefdfad1705b3b0650ac70e
                                                      • Instruction ID: d673ac2583b7f1277e01fca74c25201468650be8a051ad69e06a56381cefbdc3
                                                      • Opcode Fuzzy Hash: 5c11510621d2ede501de6ad73d9cc51af402ab575cefdfad1705b3b0650ac70e
                                                      • Instruction Fuzzy Hash: CA213D31B85214A7C7318735DD44ACE33789F42378F260A20E915A7A80D734EE06C6D2
                                                      Function 00B300AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00B300FA
                                                      • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00B3014C
                                                      • DrawMenuBar.USER32(00000000), ref: 00B30159
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.3501414623.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true
                                                      • Associated: 00000003.00000002.3501392560.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501797081.0000000000B47000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.3501860351.0000000000B4D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_af0000_AudioReaderXL.jbxd
                                                      Similarity
                                                      • API ID: Menu$InfoItem$Draw
                                                      • String ID: P
                                                      • API String ID: 3227129158-3110715001
                                                      • Opcode ID: 66fc518a50f989ec40ab0f482acd392ce6f56dc7bc4908b56582a2e6b7d9e64e
                                                      • Instruction ID: b1c5e4f21e83b85f22ccfd0cadd8f18a8791fa9f599a5247b62deb0d14d7846e
                                                      • Opcode Fuzzy Hash: 66fc518a50f989ec40ab0f482acd392ce6f56dc7bc4908b56582a2e6b7d9e64e
                                                      • Instruction Fuzzy Hash: 1711E3306156046FD720EF28CC81B5B7AD5EF84364F248668F1A8DB3E9D775C988C786